diff --git a/main.go b/main.go
index 29c06d22abc4e9b467b843f9f4089a1018f5a934..4b185f0662fb0a9241ddbee6bb49bac97bf9ac06 100644
--- a/main.go
+++ b/main.go
@@ -2,6 +2,8 @@ package main
import (
"bytes"
+ "encoding/json"
+ "fmt"
"io"
"io/ioutil"
"log"
@@ -15,11 +17,15 @@ var i int
func main() {
mainH := http.HandlerFunc(helloServer)
go http.ListenAndServe(":8091", middleware(mainH))
- sendPostRequestMultipart("http://localhost:8090/tasks/create/file", "/home/jean/Wza.txt")
+ //taskid := sendPostRequestMultipart("http://localhost:8090/tasks/create/file", "/home/jean/Wza.txt")
+ sendGetSummaryReport(5)
+ //sendPostRequestMultipart("http://localhost:8090/tasks/summary/")
// h := http.HandlerFunc(SaveFile)
// http.ListenAndServe(":8080", Middleware(h))
}
+//subject, corps du mail, expéditeur, URL, hash
+
func helloServer(w http.ResponseWriter, r *http.Request) {
//fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:])
}
@@ -60,7 +66,12 @@ func middleware(next http.Handler) http.Handler {
})
}
-func sendPostRequestMultipart(url string, filename string) (string, []byte) {
+//UploadResponse struct
+type UploadResponse struct {
+ TaskID int `json:"task_id"`
+}
+
+func sendPostRequestMultipart(url string, filename string) int {
client := &http.Client{}
req, err := newfileUploadRequest(url, nil, "file", filename)
if err != nil {
@@ -72,10 +83,39 @@ func sendPostRequestMultipart(url string, filename string) (string, []byte) {
log.Fatal(err)
}
content, err := ioutil.ReadAll(resp.Body)
+ //fmt.Printf(string(content))
+ if err != nil {
+ log.Fatal(err)
+ }
+
+ var uploadResponse UploadResponse
+ err = json.Unmarshal(content, &uploadResponse)
if err != nil {
log.Fatal(err)
}
- return resp.Status, content
+ //fmt.Println("Task ID:", uploadResponse.TaskID)
+
+ return uploadResponse.TaskID
+}
+
+func sendGetSummaryReport(taskid int) string {
+ url := fmt.Sprintf("http://localhost:8090/tasks/summary/%d", taskid)
+ fmt.Println(url)
+
+ client := &http.Client{}
+ req, err := http.NewRequest("GET", url, nil)
+ if err != nil {
+ log.Fatal(err)
+ }
+ req.Header.Set("Authorization", "Bearer AY5sMv_FiWfFTLjwc4nQRw")
+ resp, err := client.Do(req)
+ if err != nil {
+ log.Fatal(err)
+ }
+
+ content, err := ioutil.ReadAll(resp.Body)
+ fmt.Printf(string(content))
+ return string(content)
}
// Creates a new file upload http request with optional extra params
@@ -104,4 +144,5 @@ func newfileUploadRequest(uri string, params map[string]string, paramName, path
req, err := http.NewRequest("POST", uri, body)
req.Header.Set("Content-Type", writer.FormDataContentType())
return req, err
+
}
diff --git a/struct.go b/struct.go
new file mode 100644
index 0000000000000000000000000000000000000000..7a0abd1e992f515d92c903fb1a51a995e1cbb538
--- /dev/null
+++ b/struct.go
@@ -0,0 +1,230 @@
+type AutoGenerated struct {
+ Info struct {
+ Added float64 `json:"added"`
+ Started float64 `json:"started"`
+ Duration int `json:"duration"`
+ Ended float64 `json:"ended"`
+ Owner interface{} `json:"owner"`
+ Score float64 `json:"score"`
+ ID int `json:"id"`
+ Category string `json:"category"`
+ Git struct {
+ Head string `json:"head"`
+ FetchHead string `json:"fetch_head"`
+ } `json:"git"`
+ Monitor string `json:"monitor"`
+ Package string `json:"package"`
+ Route string `json:"route"`
+ Custom interface{} `json:"custom"`
+ Machine struct {
+ Status string `json:"status"`
+ Name string `json:"name"`
+ Label string `json:"label"`
+ Manager string `json:"manager"`
+ StartedOn string `json:"started_on"`
+ ShutdownOn string `json:"shutdown_on"`
+ } `json:"machine"`
+ Platform interface{} `json:"platform"`
+ Version string `json:"version"`
+ Options string `json:"options"`
+ } `json:"info"`
+ Procmemory []struct {
+ Regions []struct {
+ Protect string `json:"protect"`
+ End string `json:"end"`
+ Addr string `json:"addr"`
+ State int `json:"state"`
+ Offset int `json:"offset"`
+ Type int `json:"type"`
+ Size int `json:"size"`
+ } `json:"regions"`
+ Yara []interface{} `json:"yara"`
+ Num int `json:"num"`
+ File string `json:"file"`
+ Urls []string `json:"urls"`
+ Extracted []struct {
+ Yara []struct {
+ Meta struct {
+ Description string `json:"description"`
+ } `json:"meta"`
+ Name string `json:"name"`
+ Offsets struct {
+ Var1 [][]int `json:"var1"`
+ } `json:"offsets"`
+ Strings []string `json:"strings"`
+ } `json:"yara"`
+ Sha1 string `json:"sha1"`
+ Name string `json:"name"`
+ Type string `json:"type"`
+ Sha256 string `json:"sha256"`
+ Urls []string `json:"urls"`
+ Crc32 string `json:"crc32"`
+ Path string `json:"path"`
+ Ssdeep interface{} `json:"ssdeep"`
+ Size int `json:"size"`
+ Sha512 string `json:"sha512"`
+ Md5 string `json:"md5"`
+ } `json:"extracted"`
+ Pid int `json:"pid"`
+ } `json:"procmemory"`
+ Target struct {
+ Category string `json:"category"`
+ File struct {
+ Yara []interface{} `json:"yara"`
+ Sha1 string `json:"sha1"`
+ Name string `json:"name"`
+ Type string `json:"type"`
+ Sha256 string `json:"sha256"`
+ Urls []string `json:"urls"`
+ Crc32 string `json:"crc32"`
+ Path string `json:"path"`
+ Ssdeep interface{} `json:"ssdeep"`
+ Size int `json:"size"`
+ Sha512 string `json:"sha512"`
+ Md5 string `json:"md5"`
+ } `json:"file"`
+ } `json:"target"`
+ Extracted []struct {
+ Category string `json:"category"`
+ Yara []interface{} `json:"yara"`
+ Info struct {
+ } `json:"info"`
+ Pid int `json:"pid"`
+ Raw string `json:"raw"`
+ Program string `json:"program"`
+ FirstSeen float64 `json:"first_seen"`
+ } `json:"extracted"`
+ Virustotal struct {
+ Summary struct {
+ Error string `json:"error"`
+ } `json:"summary"`
+ } `json:"virustotal"`
+ Network struct {
+ Mitm []interface{} `json:"mitm"`
+ } `json:"network"`
+ Signatures []struct {
+ Families []interface{} `json:"families"`
+ Description string `json:"description"`
+ Severity int `json:"severity"`
+ Ttp struct {
+ } `json:"ttp"`
+ Markcount int `json:"markcount"`
+ References []interface{} `json:"references"`
+ Marks []struct {
+ Call struct {
+ Category string `json:"category"`
+ Status int `json:"status"`
+ Stacktrace []interface{} `json:"stacktrace"`
+ Raw []string `json:"raw"`
+ API string `json:"api"`
+ ReturnValue int `json:"return_value"`
+ Arguments struct {
+ Stacktrace string `json:"stacktrace"`
+ Registers struct {
+ Esp int `json:"esp"`
+ Edi int `json:"edi"`
+ Eax int `json:"eax"`
+ Ebp int `json:"ebp"`
+ Edx int `json:"edx"`
+ Ebx int `json:"ebx"`
+ Esi int `json:"esi"`
+ Ecx int64 `json:"ecx"`
+ } `json:"registers"`
+ Exception struct {
+ InstructionR string `json:"instruction_r"`
+ Symbol string `json:"symbol"`
+ Instruction string `json:"instruction"`
+ Module string `json:"module"`
+ ExceptionCode string `json:"exception_code"`
+ Offset int `json:"offset"`
+ Address string `json:"address"`
+ } `json:"exception"`
+ } `json:"arguments"`
+ Time float64 `json:"time"`
+ Tid int `json:"tid"`
+ Flags struct {
+ } `json:"flags"`
+ } `json:"call"`
+ Pid int `json:"pid"`
+ Type string `json:"type"`
+ Cid int `json:"cid"`
+ } `json:"marks"`
+ Name string `json:"name"`
+ } `json:"signatures"`
+ Behavior struct {
+ Generic []struct {
+ ProcessPath string `json:"process_path"`
+ ProcessName string `json:"process_name"`
+ Pid int `json:"pid"`
+ Summary struct {
+ } `json:"summary"`
+ FirstSeen float64 `json:"first_seen"`
+ Ppid int `json:"ppid"`
+ } `json:"generic"`
+ Apistats struct {
+ Num2852 struct {
+ NtCreateSection int `json:"NtCreateSection"`
+ GetSystemTimeAsFileTime int `json:"GetSystemTimeAsFileTime"`
+ NtUnmapViewOfSection int `json:"NtUnmapViewOfSection"`
+ LdrGetProcedureAddress int `json:"LdrGetProcedureAddress"`
+ SetUnhandledExceptionFilter int `json:"SetUnhandledExceptionFilter"`
+ Exception int `json:"__exception__"`
+ NtFreeVirtualMemory int `json:"NtFreeVirtualMemory"`
+ NtClose int `json:"NtClose"`
+ NtAllocateVirtualMemory int `json:"NtAllocateVirtualMemory"`
+ NtTerminateProcess int `json:"NtTerminateProcess"`
+ LdrGetDllHandle int `json:"LdrGetDllHandle"`
+ NtMapViewOfSection int `json:"NtMapViewOfSection"`
+ } `json:"2852"`
+ } `json:"apistats"`
+ Processes []struct {
+ ProcessPath string `json:"process_path"`
+ Calls []interface{} `json:"calls"`
+ Track bool `json:"track"`
+ Pid int `json:"pid"`
+ ProcessName string `json:"process_name"`
+ CommandLine string `json:"command_line"`
+ Modules []struct {
+ Basename string `json:"basename"`
+ Imgsize int `json:"imgsize"`
+ Baseaddr string `json:"baseaddr"`
+ Filepath string `json:"filepath"`
+ } `json:"modules"`
+ Time int `json:"time"`
+ Tid int `json:"tid"`
+ FirstSeen float64 `json:"first_seen"`
+ Ppid int `json:"ppid"`
+ Type string `json:"type"`
+ } `json:"processes"`
+ Processtree []struct {
+ Track bool `json:"track"`
+ Pid int `json:"pid"`
+ ProcessName string `json:"process_name"`
+ CommandLine string `json:"command_line"`
+ FirstSeen float64 `json:"first_seen"`
+ Ppid int `json:"ppid"`
+ Children []interface{} `json:"children"`
+ } `json:"processtree"`
+ } `json:"behavior"`
+ Debug struct {
+ Action []string `json:"action"`
+ Dbgview []interface{} `json:"dbgview"`
+ Errors []string `json:"errors"`
+ Log []string `json:"log"`
+ Cuckoo []string `json:"cuckoo"`
+ } `json:"debug"`
+ Screenshots []struct {
+ Path string `json:"path"`
+ Ocr string `json:"ocr"`
+ } `json:"screenshots"`
+ Strings []string `json:"strings"`
+ Metadata struct {
+ Output struct {
+ Memdumps []struct {
+ Basename string `json:"basename"`
+ Sha256 string `json:"sha256"`
+ Dirname string `json:"dirname"`
+ } `json:"memdumps"`
+ } `json:"output"`
+ } `json:"metadata"`
+}
\ No newline at end of file
diff --git a/task.json b/task.json
new file mode 100644
index 0000000000000000000000000000000000000000..87aea7b63892bfabaaa639ab6fa427e36860684a
--- /dev/null
+++ b/task.json
@@ -0,0 +1 @@
+{"behavior":{"apistats":{"1952":{"CoCreateInstance":2,"CoGetClassObject":4,"CoInitializeEx":1,"CoInitializeSecurity":1,"CoUninitialize":1,"GetFileInformationByHandle":2,"GetFileSize":4,"GetSystemDirectoryW":3,"GetSystemInfo":3,"GetSystemTimeAsFileTime":14,"LdrGetDllHandle":8,"LdrGetProcedureAddress":39,"LdrLoadDll":9,"LdrUnloadDll":2,"NtAllocateVirtualMemory":16,"NtClose":58,"NtCreateFile":5,"NtCreateSection":4,"NtDuplicateObject":2,"NtFreeVirtualMemory":6,"NtMapViewOfSection":4,"NtOpenDirectoryObject":1,"NtOpenFile":1,"NtOpenKey":3,"NtOpenKeyEx":91,"NtOpenProcess":2,"NtProtectVirtualMemory":2,"NtQueryKey":99,"NtQuerySystemInformation":1,"NtQueryValueKey":39,"NtReadFile":86,"NtTerminateProcess":3,"NtUnmapViewOfSection":6,"RegCloseKey":71,"RegCreateKeyExW":1,"RegEnumKeyW":6,"RegQueryValueExW":3,"SetFilePointer":108,"SetUnhandledExceptionFilter":1},"2976":{"CoCreateInstance":2,"CoUninitialize":1,"CreateActCtxW":2,"CreateProcessInternalW":1,"CreateServiceA":1,"CreateThread":3,"CreateToolhelp32Snapshot":1,"CryptAcquireContextA":1,"CryptCreateHash":1,"CryptHashData":3,"DeviceIoControl":2,"FindFirstFileExW":4,"FindWindowA":4,"GetFileAttributesW":1,"GetNativeSystemInfo":4,"GetSystemDirectoryW":4,"GetSystemInfo":3,"GetSystemTimeAsFileTime":6,"GetSystemWindowsDirectoryA":6,"GetSystemWindowsDirectoryW":7,"GetVolumeNameForVolumeMountPointW":3,"GetVolumePathNamesForVolumeNameW":8,"GlobalMemoryStatusEx":1,"LdrGetDllHandle":33,"LdrGetProcedureAddress":306,"LdrLoadDll":31,"LdrUnloadDll":4,"LoadStringW":2,"LookupPrivilegeValueW":4,"Module32FirstW":1,"Module32NextW":21,"NtAllocateVirtualMemory":50,"NtClose":230,"NtCreateFile":12,"NtCreateMutant":5,"NtCreateSection":6,"NtDelayExecution":1,"NtDeviceIoControlFile":1,"NtDuplicateObject":4,"NtFreeVirtualMemory":17,"NtGetContextThread":1,"NtMapViewOfSection":6,"NtOpenDirectoryObject":1,"NtOpenFile":2,"NtOpenKey":14,"NtOpenKeyEx":159,"NtOpenProcess":4,"NtProtectVirtualMemory":47,"NtQueryAttributesFile":2,"NtQueryDirectoryFile":71,"NtQueryInformationFile":3,"NtQueryKey":144,"NtQuerySystemInformation":1,"NtQueryValueKey":113,"NtReadFile":1,"NtTerminateProcess":3,"NtUnmapViewOfSection":10,"NtWriteFile":1,"OleInitialize":1,"OpenSCManagerA":2,"OpenServiceA":3,"RegCloseKey":26,"RegCreateKeyExA":4,"RegEnumKeyW":18,"RegOpenKeyExA":14,"RegOpenKeyExW":14,"RegQueryValueExA":9,"RegQueryValueExW":20,"RegSetValueExA":15,"SetErrorMode":9,"SetFileAttributesW":2,"SetFilePointer":1,"SetFilePointerEx":1,"SetUnhandledExceptionFilter":5,"ShellExecuteExW":2,"StartServiceA":1,"__exception__":5}},"generic":[{"first_seen":1606943649.755751,"pid":1952,"ppid":2976,"process_name":"firefox.exe","process_path":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","summary":{"dll_loaded":["ntmarta.dll","C:\\Windows\\system32\\IMM32.DLL","api-ms-win-appmodel-runtime-l1-1-2","C:\\Windows\\system32\\actxprxy.dll","gdi32.dll","OLEAUT32","OLEAUT32.dll","C:\\Program Files\\Internet Explorer\\ieproxy.dll","ole32.dll"],"file_opened":["C:\\Program Files\\Mozilla Firefox\\firefox.exe","C:\\Windows\\System32\\stdole2.tlb","C:\\Windows\\System32\\shell32.dll","C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe"],"file_read":["C:\\Windows\\System32\\stdole2.tlb","C:\\Windows\\System32\\shell32.dll"],"guid":["{00000320-0000-0000-c000-000000000046}","{0000015b-0000-0000-c000-000000000046}","{00020420-0000-0000-c000-000000000046}","{9ba05972-f6a8-11cf-a442-00a0c90a8f39}","{85cb6900-4d95-11cf-960c-0080c7f4ee85}","{d5f569d0-593b-101a-b569-08002b2dbf7a}","{0000034b-0000-0000-c000-000000000046}"],"regkey_opened":["HKEY_CURRENT_USER\\SOFTWARE\\Mozilla\\Firefox\\Launcher"],"regkey_read":["HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\ThreadingModel","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\InprocServer32","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\ThreadingModel","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\Version","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\Windows\\LoadAppInit_DLLs","HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Browser","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\(Default)","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\IPv4LoopbackAlternative","HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Launcher","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\InprocServer32","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\Version","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\(Default)","HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Image","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles"]}},{"first_seen":1606943648.427626,"pid":2976,"ppid":3028,"process_name":"Win32.DarkTequila.exe","process_path":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe","summary":{"command_line":["\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"","http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974"],"directory_enumerated":["C:\\Windows\\SysWOW64\\ieframe.dll","C:\\Windows\\SysWOW64","C:\\Windows","C:\\Windows\\SysWOW64\\*.*"],"dll_loaded":["ADVAPI32.dll","C:\\Windows\\system32\\IMM32.DLL","wpcap.dll","api-ms-win-downlevel-advapi32-l1-1-0.dll","urlmon.dll","api-ms-win-downlevel-ole32-l1-1-0.dll","PROPSYS.dll","apphelp.dll","gdi32.dll","Shell32.dll","KERNEL32.DLL","msvcrt.dll","OLEAUT32.dll","api-ms-win-downlevel-shlwapi-l2-1-0.dll","advapi32.dll","API-MS-Win-Core-LocalRegistry-L1-1-0.dll","Ole32.dll","SETUPAPI.dll","CRYPTSP.dll","ole32.dll","comctl32.dll"],"file_created":["c:\\Windows\\csrss.dll"],"file_exists":["C:\\Windows\\SysWOW64\\ieframe.dll"],"file_opened":["C:\\Windows\\AppPatch\\sysmain.sdb","C:\\Windows\\SysWOW64\\ieframe.dll","C:\\Windows\\SysWOW64\\","\\??\\c:","\\??\\PhysicalDrive0","C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui"],"file_read":["C:\\Windows\\SysWOW64\\ieframe.dll"],"file_recreated":["\\??\\C:"],"file_written":["c:\\Windows\\csrss.dll"],"guid":["{76765b11-3f95-4af2-ac9d-ea55d8994f1a}","{00000000-0000-0000-c000-000000000046}","{871c5380-42a0-1069-a2ea-08002b30309d}","{000214e6-0000-0000-c000-000000000046}"],"mutex":["Global\\F42B8ED47C41A7A135BDA00457587C507BC99875"],"regkey_opened":["HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562","HKEY_LOCAL_MACHINE\\SYSTEM\\Select","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\Tcpip\\Parameters","HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters","HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562","HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main","HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_CLASSES_ROOT\\CLSID\\{D27CDB6E-AE6D-11cf-96B8-444553540000}","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"],"regkey_read":["HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\Progid","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Data","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameTabWindow","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)","HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPEnable","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Generation","HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\LastKnownGood","HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\SessionMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableBpc","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Data","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler","HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\AdminTabProcs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\Tcpip\\Parameters\\EnableBpc","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CMF\\Config\\SYSTEM","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Generation","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Cryptography\\MachineGuid","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\SessionMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Generation","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPSampledIn","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes","HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Setup\\SourcePath","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Data","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache"],"regkey_written":["HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\WOW64","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Type","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Start","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ObjectName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\Wcsrss","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\DisplayName","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ImagePath","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Description","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ErrorControl","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\WOW64"]}},{"first_seen":1606943609.640625,"pid":500,"ppid":384,"process_name":"lsass.exe","process_path":"C:\\Windows\\System32\\lsass.exe","summary":{}}],"processes":[{"calls":[],"command_line":"C:\\Windows\\system32\\lsass.exe","first_seen":1606943609.640625,"modules":[{"baseaddr":"0xff020000","basename":"lsass.exe","filepath":"C:\\Windows\\system32\\lsass.exe","imgsize":49152},{"baseaddr":"0x777e0000","basename":"ntdll.dll","filepath":"C:\\Windows\\SYSTEM32\\ntdll.dll","imgsize":1744896},{"baseaddr":"0x775c0000","basename":"kernel32.dll","filepath":"C:\\Windows\\system32\\kernel32.dll","imgsize":1175552},{"baseaddr":"0x7fefd5b0000","basename":"KERNELBASE.dll","filepath":"C:\\Windows\\system32\\KERNELBASE.dll","imgsize":434176},{"baseaddr":"0x7fefe0f0000","basename":"msvcrt.dll","filepath":"C:\\Windows\\system32\\msvcrt.dll","imgsize":651264},{"baseaddr":"0x7feff660000","basename":"RPCRT4.dll","filepath":"C:\\Windows\\system32\\RPCRT4.dll","imgsize":1232896},{"baseaddr":"0x7fefd290000","basename":"SspiSrv.dll","filepath":"C:\\Windows\\system32\\SspiSrv.dll","imgsize":45056},{"baseaddr":"0x7fefd0e0000","basename":"lsasrv.dll","filepath":"C:\\Windows\\system32\\lsasrv.dll","imgsize":1482752},{"baseaddr":"0x7feff350000","basename":"sechost.dll","filepath":"C:\\Windows\\SYSTEM32\\sechost.dll","imgsize":126976},{"baseaddr":"0x7fefd2a0000","basename":"SspiCli.dll","filepath":"C:\\Windows\\system32\\SspiCli.dll","imgsize":151552},{"baseaddr":"0x7feff3f0000","basename":"ADVAPI32.dll","filepath":"C:\\Windows\\system32\\ADVAPI32.dll","imgsize":897024},{"baseaddr":"0x776e0000","basename":"USER32.dll","filepath":"C:\\Windows\\system32\\USER32.dll","imgsize":1024000},{"baseaddr":"0x7fefdf40000","basename":"GDI32.dll","filepath":"C:\\Windows\\system32\\GDI32.dll","imgsize":421888},{"baseaddr":"0x7feff340000","basename":"LPK.dll","filepath":"C:\\Windows\\system32\\LPK.dll","imgsize":57344},{"baseaddr":"0x7fefda90000","basename":"USP10.dll","filepath":"C:\\Windows\\system32\\USP10.dll","imgsize":831488},{"baseaddr":"0x7fefcf60000","basename":"SAMSRV.dll","filepath":"C:\\Windows\\system32\\SAMSRV.dll","imgsize":790528},{"baseaddr":"0x7fefcf40000","basename":"cryptdll.dll","filepath":"C:\\Windows\\system32\\cryptdll.dll","imgsize":81920},{"baseaddr":"0x7fefd4e0000","basename":"MSASN1.dll","filepath":"C:\\Windows\\system32\\MSASN1.dll","imgsize":61440},{"baseaddr":"0x7fefced0000","basename":"wevtapi.dll","filepath":"C:\\Windows\\system32\\wevtapi.dll","imgsize":446464},{"baseaddr":"0x7feff1f0000","basename":"IMM32.DLL","filepath":"C:\\Windows\\system32\\IMM32.DLL","imgsize":188416},{"baseaddr":"0x7feff220000","basename":"MSCTF.dll","filepath":"C:\\Windows\\system32\\MSCTF.dll","imgsize":1085440},{"baseaddr":"0x7fefcec0000","basename":"cngaudit.dll","filepath":"C:\\Windows\\system32\\cngaudit.dll","imgsize":36864},{"baseaddr":"0x7fefce90000","basename":"AUTHZ.dll","filepath":"C:\\Windows\\system32\\AUTHZ.dll","imgsize":192512},{"baseaddr":"0x7fefce40000","basename":"ncrypt.dll","filepath":"C:\\Windows\\system32\\ncrypt.dll","imgsize":327680},{"baseaddr":"0x7fefce10000","basename":"bcrypt.dll","filepath":"C:\\Windows\\system32\\bcrypt.dll","imgsize":139264},{"baseaddr":"0x75240000","basename":"msprivs.DLL","filepath":"C:\\Windows\\system32\\msprivs.DLL","imgsize":8192},{"baseaddr":"0x7fefcdd0000","basename":"netjoin.dll","filepath":"C:\\Windows\\system32\\netjoin.dll","imgsize":204800},{"baseaddr":"0x7fefcda0000","basename":"negoexts.DLL","filepath":"C:\\Windows\\system32\\negoexts.DLL","imgsize":147456},{"baseaddr":"0x7fefd250000","basename":"Secur32.dll","filepath":"C:\\Windows\\system32\\Secur32.dll","imgsize":45056},{"baseaddr":"0x7fefd330000","basename":"cryptbase.dll","filepath":"C:\\Windows\\system32\\cryptbase.dll","imgsize":61440},{"baseaddr":"0x7fefcce0000","basename":"kerberos.DLL","filepath":"C:\\Windows\\system32\\kerberos.DLL","imgsize":753664},{"baseaddr":"0x7fefccc0000","basename":"CRYPTSP.dll","filepath":"C:\\Windows\\system32\\CRYPTSP.dll","imgsize":98304},{"baseaddr":"0x7fefdb60000","basename":"WS2_32.dll","filepath":"C:\\Windows\\system32\\WS2_32.dll","imgsize":315392},{"baseaddr":"0x7feff330000","basename":"NSI.dll","filepath":"C:\\Windows\\system32\\NSI.dll","imgsize":32768},{"baseaddr":"0x7fefcc60000","basename":"mswsock.dll","filepath":"C:\\Windows\\system32\\mswsock.dll","imgsize":348160},{"baseaddr":"0x7fefcc50000","basename":"wship6.dll","filepath":"C:\\Windows\\System32\\wship6.dll","imgsize":28672},{"baseaddr":"0x7fefcbf0000","basename":"msv1_0.DLL","filepath":"C:\\Windows\\system32\\msv1_0.DLL","imgsize":335872},{"baseaddr":"0x7fefcb40000","basename":"netlogon.DLL","filepath":"C:\\Windows\\system32\\netlogon.DLL","imgsize":712704},{"baseaddr":"0x7fefcae0000","basename":"DNSAPI.dll","filepath":"C:\\Windows\\system32\\DNSAPI.dll","imgsize":372736},{"baseaddr":"0x7fefcab0000","basename":"logoncli.dll","filepath":"C:\\Windows\\system32\\logoncli.dll","imgsize":196608},{"baseaddr":"0x7fefca50000","basename":"schannel.DLL","filepath":"C:\\Windows\\system32\\schannel.DLL","imgsize":360448},{"baseaddr":"0x7fefd660000","basename":"CRYPT32.dll","filepath":"C:\\Windows\\system32\\CRYPT32.dll","imgsize":1495040},{"baseaddr":"0x7fefca10000","basename":"wdigest.DLL","filepath":"C:\\Windows\\system32\\wdigest.DLL","imgsize":221184},{"baseaddr":"0x7fefc9c0000","basename":"rsaenh.dll","filepath":"C:\\Windows\\system32\\rsaenh.dll","imgsize":290816},{"baseaddr":"0x7fefc9a0000","basename":"tspkg.DLL","filepath":"C:\\Windows\\system32\\tspkg.DLL","imgsize":102400},{"baseaddr":"0x7fefc950000","basename":"pku2u.DLL","filepath":"C:\\Windows\\system32\\pku2u.DLL","imgsize":282624},{"baseaddr":"0x7fefc900000","basename":"bcryptprimitives.dll","filepath":"C:\\Windows\\system32\\bcryptprimitives.dll","imgsize":311296},{"baseaddr":"0x7fefd420000","basename":"RpcRtRemote.dll","filepath":"C:\\Windows\\system32\\RpcRtRemote.dll","imgsize":81920},{"baseaddr":"0x7fefc8e0000","basename":"efslsaext.dll","filepath":"C:\\Windows\\system32\\efslsaext.dll","imgsize":73728},{"baseaddr":"0x7fefc8a0000","basename":"scecli.DLL","filepath":"C:\\Windows\\system32\\scecli.DLL","imgsize":253952},{"baseaddr":"0x7fefc890000","basename":"credssp.dll","filepath":"C:\\Windows\\system32\\credssp.dll","imgsize":40960},{"baseaddr":"0x7fefd340000","basename":"WINSTA.dll","filepath":"C:\\Windows\\system32\\WINSTA.dll","imgsize":249856},{"baseaddr":"0x7fefc700000","basename":"IPHLPAPI.DLL","filepath":"C:\\Windows\\system32\\IPHLPAPI.DLL","imgsize":159744},{"baseaddr":"0x7fefc6f0000","basename":"WINNSI.DLL","filepath":"C:\\Windows\\system32\\WINNSI.DLL","imgsize":45056},{"baseaddr":"0x7fefb0d0000","basename":"netutils.dll","filepath":"C:\\Windows\\system32\\netutils.dll","imgsize":49152},{"baseaddr":"0x7fefb0b0000","basename":"wkscli.dll","filepath":"C:\\Windows\\system32\\wkscli.dll","imgsize":86016},{"baseaddr":"0x7fefd630000","basename":"USERENV.dll","filepath":"C:\\Windows\\system32\\USERENV.dll","imgsize":122880},{"baseaddr":"0x7fefd4d0000","basename":"profapi.dll","filepath":"C:\\Windows\\system32\\profapi.dll","imgsize":61440},{"baseaddr":"0x7fefc5c0000","basename":"wshtcpip.dll","filepath":"C:\\Windows\\System32\\wshtcpip.dll","imgsize":28672},{"baseaddr":"0x7fef2400000","basename":"dssenh.dll","filepath":"C:\\Windows\\system32\\dssenh.dll","imgsize":204800},{"baseaddr":"0x7fefc780000","basename":"GPAPI.dll","filepath":"C:\\Windows\\system32\\GPAPI.dll","imgsize":110592},{"baseaddr":"0x74540000","basename":"monitor-x64.dll","filepath":"C:\\tmpcaygsr\\bin\\monitor-x64.dll","imgsize":2269184}],"pid":500,"ppid":384,"process_name":"lsass.exe","process_path":"C:\\Windows\\System32\\lsass.exe","tid":1380,"time":0,"track":false,"type":"process"},{"calls":[{"api":"LdrLoadDll","arguments":{"basename":"KERNEL32","flags":0,"module_address":"0x757c0000","module_name":"KERNEL32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1454","function_name":"InterlockedCompareExchange","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1432","function_name":"InterlockedExchange","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d11f8","function_name":"GetCurrentProcessId","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d11c0","function_name":"GetLastError","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d10ff","function_name":"Sleep","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1245","function_name":"GetModuleHandleA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d4977","function_name":"LoadLibraryA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1222","function_name":"GetProcAddress","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d17d9","function_name":"GetCurrentProcess","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1420","function_name":"GetCurrentThreadId","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d110c","function_name":"GetTickCount","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d8769","function_name":"SetUnhandledExceptionFilter","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d3468","function_name":"FreeLibrary","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d16f5","function_name":"QueryPerformanceCounter","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f770f","function_name":"UnhandledExceptionFilter","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757ed7ea","function_name":"TerminateProcess","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d0e00","function_name":"GetStartupInfoA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757fd1f3","function_name":"RtlUnwind","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757fb2af","function_name":"OutputDebugStringA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d34a9","function_name":"GetSystemTimeAsFileTime","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrLoadDll","arguments":{"basename":"msvcrt","flags":0,"module_address":"0x75b60000","module_name":"msvcrt.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6db38","function_name":"_stricmp","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6de4a","function_name":"strstr","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69894","function_name":"free","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6b10d","function_name":"realloc","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69cee","function_name":"malloc","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b714e3","function_name":"??1exception@@UAE@XZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b714f9","function_name":"??0exception@@QAE@XZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb56cd","function_name":"??0exception@@QAE@ABV0@@Z","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b7132e","function_name":"_beginthreadex","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b83557","function_name":"_CxxThrowException","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bbbf99","function_name":"_callnewh","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f607","function_name":"_ismbblead","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69790","function_name":"memset","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69910","function_name":"memcpy","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6a42d","function_name":"_unlock","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f509","function_name":"__dllonexit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6a449","function_name":"_lock","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b7112d","function_name":"_onexit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb92bb","function_name":"??1type_info@@UAE@XZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb61d7","function_name":"?terminate@@YAXXZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b72bc0","function_name":"__getmainargs","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b737d4","function_name":"_cexit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bcb2e0","function_name":"_exit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b8dc75","function_name":"_XcptFilter","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c004d8","function_name":"_acmdln","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6c151","function_name":"_initterm","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bcb30f","function_name":"_amsg_exit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bf77dd","function_name":"__setusermatherr","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b727c3","function_name":"__p__commode","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b727ce","function_name":"__p__fmode","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b72804","function_name":"__set_app_type","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f76e","function_name":"isleadbyte","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c02900","function_name":"_iob","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b8fa7c","function_name":"_snprintf","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b84218","function_name":"_itoa","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb22bf","function_name":"wctomb","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6e1e1","function_name":"_controlfp","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c03210","function_name":"__badioinfo","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c00500","function_name":"__pioinfo","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6ac15","function_name":"_fileno","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b74303","function_name":"_lseeki64","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b74078","function_name":"_write","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f383","function_name":"_isatty","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b7ca0b","function_name":"_strlwr","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6a5b8","function_name":"_errno","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b83495","function_name":"__CxxFrameHandler","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b736aa","function_name":"exit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb57a5","function_name":"?what@exception@@UBEPBDXZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x003c0000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x003c0000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":2,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"SetUnhandledExceptionFilter","arguments":{},"category":"exception","flags":{},"last_error":0,"nt_status":-1073741515,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.583626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"advapi32.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741515,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.583626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"advapi32.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741515,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.583626},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"GetSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"NtCreateMutant","arguments":{"desired_access":"0x001f0001","initial_owner":0,"mutant_handle":"0x00000040","mutant_name":""},"category":"synchronisation","flags":{"desired_access":"STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"NtCreateMutant","arguments":{"desired_access":"0x001f0001","initial_owner":0,"mutant_handle":"0x00000044","mutant_name":""},"category":"synchronisation","flags":{"desired_access":"STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"NtOpenKey","arguments":{"desired_access":"0x02000000","key_handle":"0x00000048","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Diagnostics"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.583626},{"api":"LdrLoadDll","arguments":{"basename":"advapi32","flags":0,"module_address":"0x75e10000","module_name":"advapi32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e19159","function_name":"CryptAcquireContextA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1e0a4","function_name":"CryptReleaseContext","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1dece","function_name":"CryptCreateHash","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1deb6","function_name":"CryptHashData","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1defe","function_name":"CryptGetHashParam","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1dee6","function_name":"CryptDestroyHash","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrLoadDll","arguments":{"basename":"CRYPTSP","flags":0,"module_address":"0x742d0000","module_name":"CRYPTSP.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x742d4a53","function_name":"CryptAcquireContextA","module":"CRYPTSP","module_address":"0x742d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"CryptAcquireContextA","arguments":{"container":"","crypto_handle":"0x006f6cf0","flags":4026531904,"provider":"","provider_type":1},"category":"crypto","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"Kernel32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d13e0","function_name":"CloseHandle","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d5366","function_name":"CreateFileA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d4c0b","function_name":"CreateMutexA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f733f","function_name":"CreateToolhelp32Snapshot","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d31cf","function_name":"DeviceIoControl","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d17bc","function_name":"GetCurrentThread","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75854aff","function_name":"GetLongPathNameA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1481","function_name":"GetModuleFileNameA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757e107d","function_name":"GetNativeSystemInfo","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d14b9","function_name":"GetProcessHeap","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d496a","function_name":"GetSystemInfo","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f79b4","function_name":"GetThreadContext","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779ee0c6","function_name":"HeapAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1499","function_name":"HeapFree","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779fc7ac","function_name":"HeapReAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757fd0a5","function_name":"IsBadReadPtr","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75856459","function_name":"Module32First","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75856542","function_name":"Module32Next","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d111e","function_name":"ReleaseMutex","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1ad0","function_name":"SetErrorMode","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1826","function_name":"VirtualAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d183e","function_name":"VirtualFree","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d42ff","function_name":"VirtualProtect","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1136","function_name":"WaitForSingleObject","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1956","function_name":"OpenProcess","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x75e10000","module_name":"Advapi32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24036","function_name":"AllocateAndInitializeSid","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1de84","function_name":"CheckTokenMembership","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e2407e","function_name":"FreeSid","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e245ed","function_name":"RegCloseKey","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e2485b","function_name":"RegOpenKeyExA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24843","function_name":"RegQueryValueExA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e240de","function_name":"AdjustTokenPrivileges","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e235e4","function_name":"CloseServiceHandle","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e23f9a","function_name":"LookupPrivilegeValueA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24254","function_name":"OpenProcessToken","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e22b20","function_name":"OpenSCManagerA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e22b38","function_name":"OpenServiceA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1790c","function_name":"QueryServiceStatusEx","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"Shell32.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741700,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"Shell32.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741700,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"NtQuerySystemInformation","arguments":{"information_class":0},"category":"system","flags":{"information_class":"SystemBasicInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x77ac1000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":2,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x773a0000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x773a0000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":32,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"LdrLoadDll","arguments":{"basename":"IMM32","flags":0,"module_address":"0x75f10000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x75f10000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020019","key_handle":"0x00000054","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000054","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":126,"nt_status":-1073741515,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"NtClose","arguments":{"handle":"0x00000054"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x75a30000","module_name":"LPK.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75a348a0","function_name":"LpkTabbedTextOut","module":"LPK","module_address":"0x75a30000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75a31430","function_name":"LpkPSMTextOut","module":"LPK","module_address":"0x75a30000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75a313d0","function_name":"LpkDrawTextEx","module":"LPK","module_address":"0x75a30000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75a37000","function_name":"LpkEditControl","module":"LPK","module_address":"0x75a30000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtClose","arguments":{"handle":"0x0000006c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtClose","arguments":{"handle":"0x00000068"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000068","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000068","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs","value":0},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtClose","arguments":{"handle":"0x00000068"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrLoadDll","arguments":{"basename":"gdi32","flags":0,"module_address":"0x76e10000","module_name":"gdi32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x76e29ea8","function_name":"GetCharABCWidthsI","module":"GDI32","module_address":"0x76e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrLoadDll","arguments":{"basename":"Shell32","flags":0,"module_address":"0x76050000","module_name":"Shell32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x762986f5","function_name":"ShellExecuteExA","module":"Shell32","module_address":"0x76050000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x77390000","module_name":"User32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773afffe","function_name":"FindWindowA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773e9114","function_name":"SwitchToThisWindow","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773ad23e","function_name":"CreateWindowExA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773a9a55","function_name":"DestroyWindow","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773a7bbb","function_name":"DispatchMessageA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773a7bd3","function_name":"GetMessageA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773a7d2f","function_name":"GetSystemMetrics","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773b9045","function_name":"LoadImageA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773b71fe","function_name":"SendMessageA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773a79fb","function_name":"SetTimer","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773b86de","function_name":"SetWindowTextA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773b0e13","function_name":"ShowWindow","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773a7809","function_name":"TranslateMessage","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"Ole32.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":5,"nt_status":0,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"Ole32.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":5,"nt_status":0,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000084","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000084","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":126,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"NtClose","arguments":{"handle":"0x00000084"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000084","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000084","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":126,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"NtClose","arguments":{"handle":"0x00000084"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"GetSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x774d0000","module_name":"rpcrt4.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x774f009e","function_name":"I_RpcInitNdrImports","module":"RPCRT4","module_address":"0x774d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"NtOpenDirectoryObject","arguments":{"desired_access":"0x0000000f","directory_handle":"0x000000a0","dirpath":"\\Sessions\\1\\BaseNamedObjects","dirpath_r":"\\Sessions\\1\\BaseNamedObjects"},"category":"file","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrLoadDll","arguments":{"basename":"Ole32","flags":0,"module_address":"0x758d0000","module_name":"Ole32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75919c5b","function_name":"CoCreateInstance","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7591097d","function_name":"CoInitializeEx","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x758f355b","function_name":"CreateStreamOnHGlobal","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeDebugPrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x000000a4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x779c0000","module_name":"ntdll.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a6cd42","function_name":"CsrGetProcessId","module":"ntdll","module_address":"0x779c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtOpenProcess","arguments":{"desired_access":"0x001fffff","process_handle":"0x00000000","process_identifier":408},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|SPECIFIC_RIGHTS_ALL"},"last_error":0,"nt_status":0,"return_value":3221225506,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"SetErrorMode","arguments":{"mode":2},"category":"system","flags":{"mode":"SEM_NOGPFAULTERRORBOX"},"return_value":32775,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"SetUnhandledExceptionFilter","arguments":{},"category":"exception","flags":{},"return_value":3980002,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"OpenSCManagerA","arguments":{"database_name":"","desired_access":2147483648,"machine_name":""},"category":"services","flags":{},"return_value":7204000,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"OpenServiceA","arguments":{"desired_access":4,"service_handle":"0x00000000","service_manager_handle":"0x006deca0","service_name":"WindowsClientServerRunTimeSubsystem"},"category":"services","flags":{},"last_error":1060,"nt_status":-1073741790,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x000000f8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x000000fc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"CreateThread","arguments":{"flags":0,"function_address":"0x75b712e5","parameter":"0x00922640","stack_size":0,"thread_identifier":2628},"category":"process","flags":{},"return_value":252,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"SetUnhandledExceptionFilter","arguments":{},"category":"exception","flags":{},"return_value":3966816,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000001","base_handle":"0x80000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CLASSES_ROOT\\CLSID\\{D27CDB6E-AE6D-11cf-96B8-444553540000}","regkey_r":"CLSID\\{D27CDB6E-AE6D-11cf-96B8-444553540000}"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2628,"time":1606943649.536626},{"api":"__exception__","arguments":{"exception":{"address":"0x3c100d","exception_code":"0xc0000094","instruction":"div eax","instruction_r":"f7 f0 e8 9c 05 00 00 85 c0 74 06 b8 0a 00 00 00","module":"Win32.DarkTequila.exe","offset":4109,"symbol":"win32+0x100d"},"registers":{"eax":0,"ebp":2752212,"ebx":0,"ecx":3503292416,"edi":1971160937,"edx":2130566132,"esi":7155388,"esp":2751908},"stacktrace":["win32+0x8b60 @ 0x3c8b60","win32+0xa83f @ 0x3ca83f","BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a","RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2","RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"]},"category":"__notification__","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"SetUnhandledExceptionFilter","arguments":{},"category":"exception","flags":{},"return_value":3937488,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"__exception__","arguments":{"exception":{"address":"0x3c1602","exception_code":"0xc0000096","instruction":"in eax, dx","instruction_r":"ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45","module":"Win32.DarkTequila.exe","offset":5634,"symbol":"win32+0x1602"},"registers":{"eax":1447909480,"ebp":2751900,"ebx":0,"ecx":10,"edi":1971160937,"edx":22104,"esi":7155388,"esp":2751844},"stacktrace":["win32+0x1014 @ 0x3c1014","win32+0x8b60 @ 0x3c8b60","win32+0xa83f @ 0x3ca83f","BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a","RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2","RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"]},"category":"__notification__","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"__exception__","arguments":{"exception":{"address":"0x3c1546","exception_code":"0xc000001d","instruction_r":"0f 3f 07 0b 85 db 0f 94 45 e7 5b eb 38 8b 45 ec","module":"Win32.DarkTequila.exe","offset":5446,"symbol":"win32+0x1546"},"registers":{"eax":1,"ebp":2751900,"ebx":0,"ecx":2028644408,"edi":1971160937,"edx":0,"esi":7155388,"esp":2751844},"stacktrace":["win32+0x1023 @ 0x3c1023","win32+0x8b60 @ 0x3c8b60","win32+0xa83f @ 0x3ca83f","BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a","RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2","RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"]},"category":"__notification__","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"LdrLoadDll","arguments":{"basename":"ole32","flags":0,"module_address":"0x758d0000","module_name":"ole32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.536626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"kernel32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f9796","function_name":"GetSystemWindowsDirectoryA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"GetSystemWindowsDirectoryA","arguments":{"dirpath":"\u0000GetSystemW"},"category":"file","flags":{},"return_value":11,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"GetSystemWindowsDirectoryA","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0xc0100080","file_attributes":128,"file_handle":"0x00000114","filepath":"\\??\\c:","filepath_r":"\\??\\c:","share_access":3,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE","file_attributes":"FILE_ATTRIBUTE_NORMAL","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"DeviceIoControl","arguments":{"control_code":2953344,"device_handle":"0x00000114","input_buffer":"","output_buffer":"\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000"},"category":"file","flags":{"control_code":"IOCTL_STORAGE_GET_DEVICE_NUMBER"},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x00000114"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x758eef0f","function_name":"OleInitialize","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.536626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0xc0100080","file_attributes":128,"file_handle":"0x00000114","filepath":"\\??\\PhysicalDrive0","filepath_r":"\\??\\PhysicalDrive0","share_access":3,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE","file_attributes":"FILE_ATTRIBUTE_NORMAL","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"DeviceIoControl","arguments":{"control_code":475264,"device_handle":"0x00000114","input_buffer":"","output_buffer":""},"category":"file","flags":{"control_code":""},"last_error":1,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x00000114"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"CreateToolhelp32Snapshot","arguments":{"flags":8,"process_identifier":2976},"category":"process","flags":{},"return_value":296,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32FirstW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x00000128"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"FindWindowA","arguments":{"class_name":"OLLYDBG","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"FindWindowA","arguments":{"class_name":"WinDbgFrameClass","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"FindWindowA","arguments":{"class_name":"PROCMON_WINDOW_CLASS","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"FindWindowA","arguments":{"class_name":"PROCEXPL","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"LdrLoadDll","arguments":{"basename":"wpcap","flags":0,"module_address":"0x00000000","module_name":"wpcap.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x00008000"},"category":"system","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":3221225480,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"NtGetContextThread","arguments":{"thread_handle":"0xfffffffe"},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"GetSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x00390000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":64,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x00390000","heap_dep_bypass":1,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":320,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READWRITE|PAGE_GUARD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00390000","free_type":32768,"process_handle":"0xffffffff","process_identifier":2976,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"__exception__","arguments":{"exception":{"address":"0x3c12ad","exception_code":"0x80000004","instruction":"mov dword ptr [ebp + 0xfffffffc], 0xfffffffe","instruction_r":"c7 45 fc fe ff ff ff b8 01 00 00 00 8b 4d f0 64","module":"Win32.DarkTequila.exe","offset":4781,"symbol":"win32+0x12ad"},"registers":{"eax":2751884,"ebp":2751900,"ebx":0,"ecx":2028644408,"edi":1971160937,"edx":2130566132,"esi":7155388,"esp":2751860},"stacktrace":["win32+0x108c @ 0x3c108c","win32+0x8b60 @ 0x3c8b60","win32+0xa83f @ 0x3ca83f","BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a","RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2","RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"]},"category":"__notification__","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"OleInitialize","arguments":{},"category":"ole","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x779c0000","module_name":"ntdll.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779dfae8","function_name":"NtQueryInformationProcess","module":"ntdll","module_address":"0x779c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"ole32","flags":0,"module_address":"0x758d0000","module_name":"ole32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75916c74","function_name":"CreateBindCtx","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7591e9fc","function_name":"CoTaskMemAlloc","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"__exception__","arguments":{"exception":{"address":"0x3c121d","exception_code":"0x80000003","instruction":"rol byte ptr [ebx + 0x45c702c0], -4","instruction_r":"c0 83 c0 02 c7 45 fc fe ff ff ff b8 01 00 00 00","module":"Win32.DarkTequila.exe","offset":4637,"symbol":"win32+0x121d"},"registers":{"eax":2751884,"ebp":2751900,"ebx":0,"ecx":2026067364,"edi":1971160937,"edx":844648,"esi":7155388,"esp":2751860},"stacktrace":["win32+0x10b9 @ 0x3c10b9","win32+0x8b60 @ 0x3c8b60","win32+0xa83f @ 0x3ca83f","BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a","RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2","RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"]},"category":"__notification__","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x006fc000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741515,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT"},"category":"registry","flags":{"desired_access":""},"last_error":203,"nt_status":-1073741568,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"ADVAPI32","flags":0,"module_address":"0x75e10000","module_name":"ADVAPI32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a028d7","function_name":"RegisterTraceGuidsW","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x75e10000","module_name":"advapi32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a027c9","function_name":"EventRegister","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a1919d","function_name":"EventUnregister","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f8848","function_name":"EventEnabled","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a196fd","function_name":"EventWrite","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"PROPSYS","flags":0,"module_address":"0x74190000","module_name":"PROPSYS.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7419bf2c","function_name":"PSCreateMemoryPropertyStore","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7419c9d6","function_name":"PSPropertyBag_WriteDWORD","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x779c0000","module_name":"ntdll.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75916495","function_name":"CoGetApartmentType","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779df9bc","function_name":"NtSetInformationThread","module":"ntdll","module_address":"0x779c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x759175b0","function_name":"CoRegisterInitializeSpy","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x006fd000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"SetUnhandledExceptionFilter","arguments":{},"category":"exception","flags":{},"last_error":6,"nt_status":-1073741816,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000140","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\Select","regkey_r":"SYSTEM\\Select"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000140","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000144","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current","regkey_r":"Current","value":1},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000144","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\LastKnownGood","regkey_r":"LastKnownGood","value":2},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000144"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters","regkey_r":"SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000140"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000144","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableBpc","regkey_r":"EnableBpc","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":6,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.552626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000144"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\Tcpip\\Parameters","regkey_r":"SYSTEM\\ControlSet002\\Services\\Tcpip\\Parameters"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000144","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\Tcpip\\Parameters\\EnableBpc","regkey_r":"EnableBpc","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":6,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.552626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000144"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"GetNativeSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000101","base_handle":"0x80000002","key_handle":"0x00000140","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography","regkey_r":"SOFTWARE\\Microsoft\\Cryptography"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000140","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Cryptography\\MachineGuid","regkey_r":"MachineGuid","value":"3e8a2b26-09e3-46d4-9d82-040453578837"},"category":"registry","flags":{"reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000140"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x742d5d1b","function_name":"CryptCreateHash","module":"CRYPTSP","module_address":"0x742d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"CryptCreateHash","arguments":{"algorithm_identifier":"0x00008004","crypto_handle":"0x00000000","flags":0,"hash_handle":"0x006fd010","provider_handle":"0x006f6cf0"},"category":"crypto","flags":{"algorithm_identifier":"CALG_SHA1"},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x742d5f62","function_name":"CryptHashData","module":"CRYPTSP","module_address":"0x742d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"CryptHashData","arguments":{"buffer":"6401E9A2-4DC0-4622-A3A7-961BB3EF704B","flags":0,"hash_handle":"0x006fd010"},"category":"crypto","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"CryptHashData","arguments":{"buffer":"3e8a2b26-09e3-46d4-9d82-040453578837","flags":0,"hash_handle":"0x006fd010"},"category":"crypto","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"CryptHashData","arguments":{"buffer":"6401E9A2-4DC0-4622-A3A7-961BB3EF704B","flags":0,"hash_handle":"0x006fd010"},"category":"crypto","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x742d667c","function_name":"CryptGetHashParam","module":"CRYPTSP","module_address":"0x742d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x742d6135","function_name":"CryptDestroyHash","module":"CRYPTSP","module_address":"0x742d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtCreateMutant","arguments":{"desired_access":"0x001f0001","initial_owner":1,"mutant_handle":"0x00000140","mutant_name":"Global\\F42B8ED47C41A7A135BDA00457587C507BC99875"},"category":"synchronisation","flags":{"desired_access":"STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000144","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000144"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000144","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000144"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000144","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000144"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000144","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000144"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000009","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\Win32.DarkTequila.exe"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75926f61","function_name":"CoTaskMemFree","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"CreateActCtxW","arguments":{"application_name":"","module_handle":"0x76050000","resource_name":""},"category":"misc","flags":{},"return_value":7329276,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x006ff000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"CreateActCtxW","arguments":{"application_name":"","module_handle":"0x00000000","resource_name":""},"category":"misc","flags":{},"return_value":7331500,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x75a30000","module_name":"LPK","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75a37000","function_name":"LpkEditControl","module":"LPK","module_address":"0x75a30000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"comctl32","flags":0,"module_address":"0x73ff0000","module_name":"comctl32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"comctl32","flags":0,"module_address":"0x73ff0000","module_name":"comctl32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7401e05d","function_name":"","module":"comctl32","module_address":"0x73ff0000","ordinal":236},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"OLEAUT32","flags":0,"module_address":"0x75ac0000","module_name":"OLEAUT32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75ac3f8a","function_name":"","module":"OLEAUT32","module_address":"0x75ac0000","ordinal":6},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7591e9fc","function_name":"CoTaskMemAlloc","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x759161a9","function_name":"CoGetMalloc","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000158","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000158","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000158"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7419c97f","function_name":"PSPropertyBag_ReadDWORD","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7419ca28","function_name":"PSPropertyBag_ReadGUID","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x740211b9","function_name":"","module":"comctl32","module_address":"0x73ff0000","ordinal":320},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x74021158","function_name":"","module":"comctl32","module_address":"0x73ff0000","ordinal":324},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x740206f0","function_name":"","module":"comctl32","module_address":"0x73ff0000","ordinal":323},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000158","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"ADVAPI32","flags":0,"module_address":"0x75e10000","module_name":"ADVAPI32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e243ab","function_name":"RegEnumKeyW","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":0,"key_handle":"0x00000158","key_name":"{031E4825-7B94-4dc3-B131-E946B44C8DD5}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":1,"key_handle":"0x00000158","key_name":"{04731B67-D933-450a-90E6-4ACD2E9408FE}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":2,"key_handle":"0x00000158","key_name":"{11016101-E366-4D22-BC06-4ADA335C892B}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":3,"key_handle":"0x00000158","key_name":"{26EE0668-A00A-44D7-9371-BEB064C98683}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":4,"key_handle":"0x00000158","key_name":"{4336a54d-038b-4685-ab02-99bb52d3fb8b}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":5,"key_handle":"0x00000158","key_name":"{450D8FBA-AD25-11D0-98A8-0800361B1103}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":6,"key_handle":"0x00000158","key_name":"{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":7,"key_handle":"0x00000158","key_name":"{59031a47-3f72-44a7-89c5-5595fe6b30ee}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":8,"key_handle":"0x00000158","key_name":"{645FF040-5081-101B-9F08-00AA002F954E}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":9,"key_handle":"0x00000158","key_name":"{89D83576-6BD1-4c86-9454-BEB04E94C819}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":10,"key_handle":"0x00000158","key_name":"{9343812e-1c37-4a49-a12e-4b2d810d956b}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":11,"key_handle":"0x00000158","key_name":"{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":12,"key_handle":"0x00000158","key_name":"{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":13,"key_handle":"0x00000158","key_name":"{daf95313-e44d-46af-be1b-cbacea2c3065}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":14,"key_handle":"0x00000158","key_name":"{e345f35f-9397-435c-8f95-4e922c26259e}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":15,"key_handle":"0x00000158","key_name":"{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":16,"key_handle":"0x00000158","key_name":"{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":17,"key_handle":"0x00000158","key_name":"{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"last_error":0,"nt_status":-2147483622,"return_value":259,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000158"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":-2147483622,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenProcess","arguments":{"desired_access":"0x00000400","process_handle":"0x00000158","process_identifier":2976},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000158"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"ADVAPI32","flags":0,"module_address":"0x75e10000","module_name":"ADVAPI32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e2427c","function_name":"OpenThreadToken","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000158","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace\\DelegateFolders"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00701000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000156"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75912208","function_name":"StringFromGUID2","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000156"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes","value":36},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000156"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":4,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes","value":1048576},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00d4\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000I\u0000n\u0000P\u0000r\u0000o\u0000c\u0000S\u0000e\u0000r\u0000v\u0000e\u0000r\u00003\u00002\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)","value":"C:\\Windows\\SysWOW64\\ieframe.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00d4\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000I\u0000n\u0000P\u0000r\u0000o\u0000c\u0000S\u0000e\u0000r\u0000v\u0000e\u0000r\u00003\u00002\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000156"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"LdrLoadDll","arguments":{"basename":"apphelp","flags":0,"module_address":"0x73fa0000","module_name":"apphelp.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x73faa4cb","function_name":"ApphelpCheckShellObject","module":"apphelp","module_address":"0x73fa0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCompatibility"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","regkey":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppCompat"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKey","arguments":{"desired_access":"0x80000000","key_handle":"0x00000154","regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{871c5380-42a0-1069-a2ea-08002b30309d}\\InProcServer32"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":1,"key_handle":"0x00000154","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)","value":"C:\\Windows\\SysWOW64\\ieframe.dll"},"category":"registry","flags":{"information_class":"KeyValueFullInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"ieframe.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":1008,"nt_status":-1073741772,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenFile","arguments":{"desired_access":"0x00100081","file_handle":"0x00000154","filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll","open_options":96,"share_access":5,"status_info":1},"category":"file","flags":{"desired_access":"FILE_READ_DATA|FILE_READ_ATTRIBUTES|FILE_LIST_DIRECTORY","open_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00702000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0x80100080","file_attributes":128,"file_handle":"0x00000154","filepath":"C:\\Windows\\AppPatch\\sysmain.sdb","filepath_r":"\\SystemRoot\\AppPatch\\sysmain.sdb","share_access":1,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"FILE_ATTRIBUTE_NORMAL","share_access":"FILE_SHARE_READ","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryInformationFile","arguments":{"file_handle":"0x00000154","information_class":5},"category":"file","flags":{"information_class":"FileStandardInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtCreateSection","arguments":{"desired_access":"0x00000005","file_handle":"0x00000154","object_handle":"0x00000000","protection":2,"section_handle":"0x0000015c","section_name":""},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x02760000","buffer":"","commit_size":0,"process_handle":"0xffffffff","process_identifier":2976,"section_handle":"0x0000015c","section_offset":0,"view_size":4083712,"win32_protect":2},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryInformationFile","arguments":{"file_handle":"0x00000154","information_class":5},"category":"file","flags":{"information_class":"FileStandardInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x779c0000","module_name":"ntdll.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"SetErrorMode","arguments":{"mode":32769},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS|SEM_NOOPENFILEERRORBOX"},"return_value":6,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtOpenFile","arguments":{"desired_access":"0x00100001","file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\","open_options":16417,"share_access":3,"status_info":1},"category":"file","flags":{"desired_access":"FILE_READ_DATA|FILE_LIST_DIRECTORY","open_options":"FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64\\ieframe.dll","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"SetErrorMode","arguments":{"mode":32769},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS|SEM_NOOPENFILEERRORBOX"},"return_value":32773,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"GetFileAttributesW","arguments":{"file_attributes":32,"filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"C:\\Windows\\SysWOW64\\ieframe.dll"},"category":"file","flags":{},"return_value":32,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"FindFirstFileExW","arguments":{"filepath":"C:\\Windows","filepath_r":"C:\\Windows"},"category":"file","flags":{},"return_value":7331824,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"FindFirstFileExW","arguments":{"filepath":"C:\\Windows\\SysWOW64","filepath_r":"C:\\Windows\\SysWOW64"},"category":"file","flags":{},"return_value":7331824,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"FindFirstFileExW","arguments":{"filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"C:\\Windows\\SysWOW64\\ieframe.dll"},"category":"file","flags":{},"return_value":7331824,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"SetErrorMode","arguments":{"mode":32773},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX"},"return_value":32773,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00000001","key_handle":"0x00000160","regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryValueKey","arguments":{"information_class":1,"key_handle":"0x00000160","key_name":"Cache","reg_type":1,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache","value":"C:\\Users\\mes-vms\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files"},"category":"registry","flags":{"information_class":"KeyValueFullInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtOpenKey","arguments":{"desired_access":"0x80000100","key_handle":"0x00000000","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtOpenKey","arguments":{"desired_access":"0x80000100","key_handle":"0x00000000","regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.583626},{"api":"NtOpenKey","arguments":{"desired_access":"0x80000100","key_handle":"0x00000000","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\ieframe.dll"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00703000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"FindFirstFileExW","arguments":{"filepath":"C:\\Windows\\SysWOW64\\*.*","filepath_r":"C:\\Windows\\SysWOW64\\*.*"},"category":"file","flags":{},"return_value":7331824,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00705000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00707000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00708000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00709000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0070c000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0070d000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0070e000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00710000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00711000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00712000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00713000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00714000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00715000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00716000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00717000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00718000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00719000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0071a000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0071d000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0071e000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0071f000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00720000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00721000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00722000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00724000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"last_error":1008,"nt_status":-1073741772,"return_value":2147483654,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"SetErrorMode","arguments":{"mode":1},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS"},"return_value":32773,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryAttributesFile","arguments":{"filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll"},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateSection","arguments":{"desired_access":"0x00000007","file_handle":"0x00000160","object_handle":"0x00000000","protection":2,"section_handle":"0x00000164","section_name":""},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x71cb0000","buffer":"","commit_size":0,"process_handle":"0xffffffff","process_identifier":2976,"section_handle":"0x00000164","section_offset":0,"view_size":13701120,"win32_protect":4},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000164"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"SetErrorMode","arguments":{"mode":32773},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX"},"return_value":5,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020019","key_handle":"0x00000160","regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CMF\\Config"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000160","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CMF\\Config\\SYSTEM","value":0},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":0,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateSection","arguments":{"desired_access":"0x000f0005","file_handle":"0x00000160","object_handle":"0x00000000","protection":8,"section_handle":"0x00000164","section_name":""},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x02b50000","buffer":"","commit_size":0,"process_handle":"0xffffffff","process_identifier":2976,"section_handle":"0x00000164","section_offset":0,"view_size":1900544,"win32_protect":8},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_WRITECOPY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000164"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x02b50000","process_handle":"0xffffffff","process_identifier":2976,"region_size":1900544},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x71cb0000","process_handle":"0xffffffff","process_identifier":2976,"region_size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"SetErrorMode","arguments":{"mode":1},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS"},"return_value":32773,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00726000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryAttributesFile","arguments":{"filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll"},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateSection","arguments":{"desired_access":"0x00000007","file_handle":"0x00000160","object_handle":"0x00000000","protection":2,"section_handle":"0x00000164","section_name":""},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x729d0000","buffer":"","commit_size":0,"process_handle":"0xffffffff","process_identifier":2976,"section_handle":"0x00000164","section_offset":0,"view_size":13701120,"win32_protect":4},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000164"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"SetErrorMode","arguments":{"mode":32773},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX"},"return_value":5,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":0,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateSection","arguments":{"desired_access":"0x000f0005","file_handle":"0x00000160","object_handle":"0x00000000","protection":8,"section_handle":"0x00000164","section_name":""},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x02b50000","buffer":"","commit_size":0,"process_handle":"0xffffffff","process_identifier":2976,"section_handle":"0x00000164","section_offset":0,"view_size":1900544,"win32_protect":8},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_WRITECOPY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000164"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x02b50000","process_handle":"0xffffffff","process_identifier":2976,"region_size":1900544},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x729d0000","process_handle":"0xffffffff","process_identifier":2976,"region_size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0x80100080","file_attributes":128,"file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll","share_access":1,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"FILE_ATTRIBUTE_NORMAL","share_access":"FILE_SHARE_READ","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryInformationFile","arguments":{"file_handle":"0x00000160","information_class":5},"category":"file","flags":{"information_class":"FileStandardInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateSection","arguments":{"desired_access":"0x00000005","file_handle":"0x00000160","object_handle":"0x00000000","protection":2,"section_handle":"0x00000164","section_name":""},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x71cb0000","buffer":"","commit_size":0,"process_handle":"0xffffffff","process_identifier":2976,"section_handle":"0x00000164","section_offset":0,"view_size":13701120,"win32_protect":2},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0x80100080","file_attributes":128,"file_handle":"0x00000168","filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll","share_access":1,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"FILE_ATTRIBUTE_NORMAL","share_access":"FILE_SHARE_READ","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"SetFilePointerEx","arguments":{"file_handle":"0x00000168","move_method":2,"offset":13679616},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"SetFilePointer","arguments":{"file_handle":"0x00000168","move_method":2,"offset":4294966272},"category":"file","flags":{},"return_value":13678592,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtReadFile","arguments":{"buffer":"t2|2\u00842\u008c2\u00902\u00982\u009c2\u00a02\u00a42\u00a82\u00ac2\u00b02\u00b42\u00bc2\u00c02\u00c42\u00c82\u00cc2\u00d42\u00d82\u00e02\u00e42\u00e82\u00ec2\u00f42\u00f82\u00fc2\u00003\u00043\b3\f3\u00103\u00183\u001c3 3$3(3,3034383<3@3D3L3P3T3X3\\3`3d3h3l3p3t3x3|3\u00803\u00843\u00883\u008c3\u00903\u00943\u00983\u009c3\u00a03\u00a43\u00a83\u00ac3\u00b03\u00b43\u00b83\u00bc3\u00c03\u00c43\u00c83\u00cc3\u00d03\u00d43\u00d83\u00dc3\u00e03\u00e43\u00e83\u00ec3\u00f03\u00f43\u00f83\u00fc3\u00004\u00044\b4\f4\u00104\u00144\u00184\u001c4 4$4(4,4044484<4@4D4H4L4P4T4X4\\4`4d4h4l4p4t4x4|4\u00804\u00844\u00884\u008c4\u00904\u00944\u00984\u009c4\u00a04\u00a44\u00a84\u00ac4\u00b04\u00b84\u00bc4\u00c04\u00c44\u00c84\u00cc4\u00d04\u00d44\u00d84\u00dc4\u00e04\u00e84\u00ec4\u00f04\u00f44\u00f84\u00005\u00045\b5\f5\u00105\u00145\u00185\u001c5 5$5(5054585<5@5D5H5L5P5T5X5\\5`5d5h5l5p5t5x5|5\u00805\u00845\u00885\u008c5\u00905\u00945\u00985\u009c5\u00a05\u00a45\u00ac5\u00b05\u00b45\u00b85\u00bc5\u00c05\u00c45\u00c85\u00cc5\u00d05\u00d45\u00d85\u00dc5\u00e05\u00e45\u00e85\u00ec5\u00f05\u00f45\u00f85\u00fc5\u00006\u00046\b6\f6\u00106\u00146\u00186\u001c6 6$6(6,6064686<6@6D6H6L6P6T6X6\\6`6d6h6l6p6t6x6|6\u00806\u00846\u00886\u008c6\u00906\u00946\u00986\u009c6\u00a06\u00a46\u00a86\u00ac6\u00b06\u00b46\u00b86\u00bc6\u00c06\u00c46\u00c86\u00cc6\u00d46\u00dc6\u00e06\u00e86\u00ec6\u00f06\u00f46\u00f86\u00fc6\u00007\u00047\b7\f7\u00107\u00147\u00187\u001c7 7$7(7,7074787<7@7D7H7L7P7T7X7\\7`7d7h7l7p7t7x7|7\u00807\u00847\u00887\u008c7\u00907\u00947\u00987\u009c7\u00a07\u00a47\u00a87\u00ac7\u00b07\u00b47\u00b87\u00bc7\u00c07\u00c47\u00c87\u00cc7\u00d07\u00d47\u00d87\u00dc7\u00e07\u00e47\u00e87\u00ec7\u00f07\u00f47\u00f87\u00fc7\u00008\u00048\b8\f8\u00108\u00148\u00188\u001c8 8$8(8,8084888<8@8D8H8L8P8T8X8\\8`8d8h8l8p8t8x8|8\u00808\u00848\u00888\u008c8\u00948\u009c8\u00a08\u00a48\u00ac8\u00b48\u00b88\u00bc8\u00c08\u00c48\u00c88\u00cc8\u00d08\u00d48\u00dc8\u00e48\u00e88\u00ec8\u00f08\u00f48\u00f88\u00009\u00049\b9\f9\u00109\u00149\u00189\u001c9 9$9(9,9094989<9@9D9H9L9P9T9X9\\9`9d9h9l9p9t9|9\u00809\u00849\u00889\u008c9\u00909\u00949\u00989\u009c9\u00a09\u00a49\u00a89\u00b09\u00b49\u00bc9\u00c49\u00c89\u00d09\u00d89\u00dc9\u00e09\u00e89\u00ec9\u00f09\u00f49\u00f89\u00fc9\u0000:\u0004:\f:\u0010:\u0014:\u0018: :$:(:0:8:<:D:L:P:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","file_handle":"0x00000168","length":1024,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000168"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x71cb0000","process_handle":"0xffffffff","process_identifier":2976,"region_size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000164"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0070c000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":12288},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00708000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":8192},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00716000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":8192},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00712000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":8192},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0071e000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"SetErrorMode","arguments":{"mode":6},"category":"system","flags":{"mode":"SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOGPFAULTERRORBOX"},"return_value":32773,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0x00100080","file_attributes":128,"file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll","share_access":7,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"FILE_ATTRIBUTE_NORMAL","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x02760000","process_handle":"0xffffffff","process_identifier":2976,"region_size":4083712},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0071e000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000156"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":3,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF","value":"\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00fba\u00f4\u0094wy\u00d3\u0001"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020119","key_handle":"0x00000154","regkey":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.599626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020119","key_handle":"0x0000015c","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000015c","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPEnable","value":1},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000015c","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPSampledIn","value":0},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75919c5b","function_name":"CoCreateInstance","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"CoCreateInstance","arguments":{"class_context":1025,"clsid":"{871c5380-42a0-1069-a2ea-08002b30309d}","iid":"{000214e6-0000-0000-c000-000000000046}"},"category":"ole","flags":{"clsid":"Internet_Explorer","iid":"IShellFolder"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{871C5380-42A0-1069-A2EA-08002B30309D}"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741515,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000002","key_handle":"0x00000194","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","regkey_r":"Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x00000194","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","regkey_r":"CreateUriCacheSize","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000001","key_handle":"0x00000198","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","regkey_r":"Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x00000198","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","regkey_r":"CreateUriCacheSize","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000001","key_handle":"0x0000019c","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","regkey_r":"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x0000019c","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","regkey_r":"CreateUriCacheSize","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000002","key_handle":"0x000001a0","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","regkey_r":"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001a0","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","regkey_r":"CreateUriCacheSize","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x00000194","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","regkey_r":"EnablePunycode","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x00000198","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","regkey_r":"EnablePunycode","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x0000019c","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","regkey_r":"EnablePunycode","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001a0","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","regkey_r":"EnablePunycode","value":1},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x000001a4","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001a4","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001a4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl","regkey_r":"Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00000001","base_handle":"0x80000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl","regkey_r":"Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x000001a4","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl","regkey_r":"Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00000001","base_handle":"0x80000001","key_handle":"0x000001a8","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl","regkey_r":"Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00000001","base_handle":"0x000001a8","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562","regkey_r":"FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00000001","base_handle":"0x000001a4","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562","regkey_r":"FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"KERNEL32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f407f","function_name":"AcquireSRWLockExclusive","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f4039","function_name":"ReleaseSRWLockExclusive","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrLoadDll","arguments":{"basename":"api-ms-win-downlevel-ole32-l1-1-0","flags":0,"module_address":"0x772e0000","module_name":"api-ms-win-downlevel-ole32-l1-1-0.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7591e9fc","function_name":"CoTaskMemAlloc","module":"api-ms-win-downlevel-ole32-l1-1-0","module_address":"0x772e0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":8,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_WRITECOPY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00926000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":16384,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":8192,"base_address":"0x02760000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":1048576,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x02760000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":73728,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"KERNEL32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f407f","function_name":"AcquireSRWLockExclusive","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f4039","function_name":"ReleaseSRWLockExclusive","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrLoadDll","arguments":{"basename":"api-ms-win-downlevel-advapi32-l1-1-0","flags":0,"module_address":"0x76ca0000","module_name":"api-ms-win-downlevel-advapi32-l1-1-0.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a028d7","function_name":"RegisterTraceGuidsW","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":8,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_WRITECOPY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e2427c","function_name":"OpenThreadToken","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24254","function_name":"OpenProcessToken","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24036","function_name":"AllocateAndInitializeSid","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1de84","function_name":"CheckTokenMembership","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e2407e","function_name":"FreeSid","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"GetNativeSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0092a000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":24576,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"KERNEL32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f407f","function_name":"AcquireSRWLockExclusive","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f4039","function_name":"ReleaseSRWLockExclusive","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x756ef000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrLoadDll","arguments":{"basename":"ADVAPI32","flags":0,"module_address":"0x75e10000","module_name":"ADVAPI32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a28f8b","function_name":"RegisterTraceGuidsA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x756ef000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":8,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_WRITECOPY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x756ef000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a9b11a","function_name":"EventSetInformation","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x756ef000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741700,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"LdrLoadDll","arguments":{"basename":"urlmon","flags":0,"module_address":"0x75600000","module_name":"urlmon.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75624610","function_name":"IsValidURL","module":"urlmon","module_address":"0x75600000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtOpenProcess","arguments":{"desired_access":"0x00000400","process_handle":"0x000001c8","process_identifier":2976},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001cc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001cc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtOpenProcess","arguments":{"desired_access":"0x00000400","process_handle":"0x000001cc","process_identifier":2976},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001cc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"GlobalMemoryStatusEx","arguments":{},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":0,"desired_access":"0x00100080","file_attributes":0,"file_handle":"0x000001c8","filepath":"\\??\\C:","filepath_r":"\\??\\C:","share_access":7,"status_info":0},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE","status_info":"FILE_SUPERSEDED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtDeviceIoControlFile","arguments":{"control_code":5636096,"file_handle":"0x000001c8","input_buffer":"","output_buffer":"\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u00a0\u00f9\u0018\u0000\u0000\u0000"},"category":"file","flags":{"control_code":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000001","key_handle":"0x000001c8","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main","regkey_r":"Software\\Microsoft\\Internet Explorer\\Main"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001c8","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow","regkey_r":"FrameTabWindow","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000002","key_handle":"0x000001cc","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main","regkey_r":"Software\\Microsoft\\Internet Explorer\\Main"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001cc","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameTabWindow","regkey_r":"FrameTabWindow","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001c8","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameMerging","regkey_r":"FrameMerging","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001cc","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameMerging","regkey_r":"FrameMerging","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001c8","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\SessionMerging","regkey_r":"SessionMerging","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001cc","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\SessionMerging","regkey_r":"SessionMerging","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001c8","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs","regkey_r":"AdminTabProcs","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001cc","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\AdminTabProcs","regkey_r":"AdminTabProcs","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001d0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001d0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000002","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main","regkey_r":"Software\\Policies\\Microsoft\\Internet Explorer\\Main"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main","regkey_r":"Software\\Policies\\Microsoft\\Internet Explorer\\Main"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001c8","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth","regkey_r":"TabProcGrowth","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001cc","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth","regkey_r":"TabProcGrowth","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001c8","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth","regkey_r":"TabProcGrowth","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001cc","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth","regkey_r":"TabProcGrowth","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrLoadDll","arguments":{"basename":"api-ms-win-downlevel-shlwapi-l2-1-0","flags":0,"module_address":"0x73f80000","module_name":"api-ms-win-downlevel-shlwapi-l2-1-0.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7731a0b7","function_name":"SHStrDupW","module":"api-ms-win-downlevel-shlwapi-l2-1-0","module_address":"0x73f80000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75926f61","function_name":"CoTaskMemFree","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrLoadDll","arguments":{"basename":"PROPSYS","flags":0,"module_address":"0x74190000","module_name":"PROPSYS.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7419bf2c","function_name":"PSCreateMemoryPropertyStore","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x741da581","function_name":"PSCreateAdapterFromPropertyStore","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"CoCreateInstance","arguments":{"class_context":1,"clsid":"{76765b11-3f95-4af2-ac9d-ea55d8994f1a}","iid":"{00000000-0000-0000-c000-000000000046}"},"category":"ole","flags":{"clsid":"Property_System_Both_Class_Factory","iid":"IID_IUnknown"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"EXPLORER.EXE","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"EXPLORER.EXE","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x741be0a5","function_name":"PropVariantToBSTR","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75913cb9","function_name":"PropVariantClear","module":"api-ms-win-downlevel-ole32-l1-1-0","module_address":"0x772e0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75926f61","function_name":"CoTaskMemFree","module":"api-ms-win-downlevel-ole32-l1-1-0","module_address":"0x772e0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7731b141","function_name":"IUnknown_Set","module":"api-ms-win-downlevel-shlwapi-l2-1-0","module_address":"0x73f80000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LoadStringW","arguments":{"id":10240,"module_handle":"0x729d0000","string":"Ou&vrir"},"category":"ui","flags":{},"return_value":7,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x760eb659","function_name":"","module":"Shell32","module_address":"0x76050000","ordinal":102},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\http\\OpenWithProgids"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":-1073741515,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d4","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x000001d8","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001d8","key_name":"","reg_type":1,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\Progid","value":"FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001d8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001d4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d4","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001d6"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d4","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000","information_class":3,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\CurVer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\FirefoxURL-308046B0AF4A39CB\\CurVer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000","information_class":3,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d8","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\(Default)"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001d6"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000","information_class":3,"key_handle":"0x000001da","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001da","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d4","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\(Default)"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001da"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000","information_class":3,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000001d8","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001d6","key_name":"","reg_type":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001da","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001da"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000","information_class":3,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d8","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000\\\u0000s\u0000h\u0000e\u0000l\u0000l\u0000","information_class":3,"key_handle":"0x000001da","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001da","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000001dc","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001da","key_name":"","reg_type":1,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\(Default)","value":"open"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001de"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000\\\u0000s\u0000h\u0000e\u0000l\u0000l\u0000","information_class":3,"key_handle":"0x000001da","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001da","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001dc","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryKey","arguments":{"buffer":"\u00d8\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000\\\u0000s\u0000h\u0000e\u0000l\u0000l\u0000\\\u0000o\u0000p\u0000e\u0000n\u0000","information_class":3,"key_handle":"0x000001de","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001de","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000001e0","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell\\open"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001de","key_name":"","reg_type":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001e2","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x000001e2"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x000001da"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryKey","arguments":{"buffer":"\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000","information_class":3,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d8","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\(Default)"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x000001d6"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x000001de"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LoadStringW","arguments":{"id":4,"module_handle":"0x76ed0000","string":"M\u00e9moire insuffisante"},"category":"ui","flags":{},"return_value":20,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000020c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrLoadDll","arguments":{"basename":"API-MS-Win-Core-LocalRegistry-L1-1-0","flags":0,"module_address":"0x757c0000","module_name":"API-MS-Win-Core-LocalRegistry-L1-1-0.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1eee","function_name":"RegQueryValueExW","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000020c","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Setup\\SourcePath","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x0000020c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000020c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000020c","key_name":"","reg_type":2,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath","value":"%SystemRoot%\\inf"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_EXPAND_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x0000020c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtCreateMutant","arguments":{"desired_access":"0x001f0001","initial_owner":0,"mutant_handle":"0x00000210","mutant_name":""},"category":"synchronisation","flags":{"desired_access":"STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtCreateMutant","arguments":{"desired_access":"0x001f0001","initial_owner":0,"mutant_handle":"0x00000218","mutant_name":""},"category":"synchronisation","flags":{"desired_access":"STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetNativeSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x0000021c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrLoadDll","arguments":{"basename":"SETUPAPI","flags":0,"module_address":"0x76ed0000","module_name":"SETUPAPI.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77075ff7","function_name":"CM_Get_Device_Interface_List_Size_ExW","module":"SETUPAPI","module_address":"0x76ed0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtDuplicateObject","arguments":{"desired_access":"0x00000000","handle_attributes":0,"options":2,"source_handle":"0xfffffffe","source_process_handle":"0xffffffff","source_process_identifier":2976,"target_handle":"0x000001f0","target_process_handle":"0xffffffff","target_process_identifier":2976},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00708000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77075480","function_name":"CM_Get_Device_Interface_List_ExW","module":"SETUPAPI","module_address":"0x76ed0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtDuplicateObject","arguments":{"desired_access":"0x00000000","handle_attributes":0,"options":2,"source_handle":"0x00000220","source_process_handle":"0xffffffff","source_process_identifier":2976,"target_handle":"0x00000224","target_process_handle":"0xffffffff","target_process_identifier":2976},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumeNameForVolumeMountPointW","arguments":{"volume_mount_point":"\\\\?\\IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#5&394c0ad3&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\","volume_name":"\\\\?\\Volume{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":1252,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000220","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":1252,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000224","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000224","key_name":"","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Data","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":2147483653,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000224","key_name":"","reg_type":3,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Data","value":"\u0000\u0000\u0000\u0000\r\u00f0\u00ad\u00ba\u0001\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0001\u0000\u0000\u0080\u00bd\u00ad\u00db\u00ba\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00bd\u00ad\u00db\u00ba\u00bd\u00ad\u00db\u00ba\u00bd\u00ad\u00db\u00ba\u00bd\u00ad\u00db\u00ba\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000I\u0000D\u0000E\u0000#\u0000C\u0000d\u0000R\u0000o\u0000m\u0000V\u0000B\u0000O\u0000X\u0000_\u0000C\u0000D\u0000-\u0000R\u0000O\u0000M\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u00001\u0000.\u00000\u0000_\u0000_\u0000_\u0000_\u0000_\u0000#\u00005\u0000&\u00003\u00009\u00004\u0000c\u00000\u0000a\u0000d\u00003\u0000&\u00000\u0000&\u00000\u0000.\u00000\u0000.\u00000\u0000#\u0000{\u00005\u00003\u0000f\u00005\u00006\u00003\u00000\u0000d\u0000-\u0000b\u00006\u0000b\u0000f\u0000-\u00001\u00001\u0000d\u00000\u0000-\u00009\u00004\u0000f\u00002\u0000-\u00000\u00000\u0000a\u00000\u0000c\u00009\u00001\u0000e\u0000f\u0000b\u00008\u0000b\u0000}\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000{\u00005\u00009\u00000\u00004\u0000e\u0000f\u00001\u00003\u0000-\u00002\u0000a\u00002\u00004\u0000-\u00001\u00001\u0000e\u0000a\u0000-\u0000b\u00004\u00007\u0000b\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u0000\u0000"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000224","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000220","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000220","key_name":"","reg_type":4,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Generation","value":1},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtDuplicateObject","arguments":{"desired_access":"0x00000000","handle_attributes":0,"options":2,"source_handle":"0x00000220","source_process_handle":"0xffffffff","source_process_identifier":2976,"target_handle":"0x00000224","target_process_handle":"0xffffffff","target_process_identifier":2976},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumeNameForVolumeMountPointW","arguments":{"volume_mount_point":"\\\\?\\STORAGE#Volume#{6fb977c0-2a1f-11ea-848b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\","volume_name":"\\\\?\\Volume{3ebd2744-e569-11e7-b382-806e6f6e6963}\\"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":1252,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000224","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000220","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000220","key_name":"","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Data","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":2147483653,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000220","key_name":"","reg_type":3,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Data","value":"\u0000\u0000\u0000\u0000\r\u00f0\u00ad\u00ba\u0001\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u0000\u00e7\u0003\u00ff\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0004i\u00ad\u00ae\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000S\u0000T\u0000O\u0000R\u0000A\u0000G\u0000E\u0000#\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000#\u0000{\u00006\u0000f\u0000b\u00009\u00007\u00007\u0000c\u00000\u0000-\u00002\u0000a\u00001\u0000f\u0000-\u00001\u00001\u0000e\u0000a\u0000-\u00008\u00004\u00008\u0000b\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000#\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00001\u00000\u00000\u00000\u00000\u00000\u0000#\u0000{\u00005\u00003\u0000f\u00005\u00006\u00003\u00000\u0000d\u0000-\u0000b\u00006\u0000b\u0000f\u0000-\u00001\u00001\u0000d\u00000\u0000-\u00009\u00004\u0000f\u00002\u0000-\u00000\u00000\u0000a\u00000\u0000c\u00009\u00001\u0000e\u0000f\u0000b\u00008\u0000b\u0000}\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000{\u00003\u0000e\u0000b\u0000d\u00002\u00007\u00004\u00004\u0000-\u0000e\u00005\u00006\u00009\u0000-\u00001\u00001\u0000e\u00007\u0000-\u0000b\u00003\u00008\u00002\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000\\\u0000\u0000\u0000R\u0000\u00e9\u0000s\u0000e\u0000r\u0000v\u0000\u00e9\u0000 \u0000a\u0000u\u0000 \u0000s\u0000y\u0000s\u0000t\u0000\u00e8\u0000m\u0000e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000N\u0000T\u0000F\u0000S\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u0000\u0000"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000220","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000224","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000224","key_name":"","reg_type":4,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Generation","value":1},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtDuplicateObject","arguments":{"desired_access":"0x00000000","handle_attributes":0,"options":2,"source_handle":"0x00000224","source_process_handle":"0xffffffff","source_process_identifier":2976,"target_handle":"0x00000220","target_process_handle":"0xffffffff","target_process_identifier":2976},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumeNameForVolumeMountPointW","arguments":{"volume_mount_point":"\\\\?\\STORAGE#Volume#{6fb977c0-2a1f-11ea-848b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\","volume_name":"\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":1252,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000220","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000224","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000224","key_name":"","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Data","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":2147483653,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000224","key_name":"","reg_type":3,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Data","value":"\u0000\u0000\u0000\u0000\r\u00f0\u00ad\u00baA\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u0000\u00e7\u0003\u00ff\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u00e0\u009d\u00b2\u0010\u0004@\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000S\u0000T\u0000O\u0000R\u0000A\u0000G\u0000E\u0000#\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000#\u0000{\u00006\u0000f\u0000b\u00009\u00007\u00007\u0000c\u00000\u0000-\u00002\u0000a\u00001\u0000f\u0000-\u00001\u00001\u0000e\u0000a\u0000-\u00008\u00004\u00008\u0000b\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000#\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00006\u00005\u00000\u00000\u00000\u00000\u00000\u0000#\u0000{\u00005\u00003\u0000f\u00005\u00006\u00003\u00000\u0000d\u0000-\u0000b\u00006\u0000b\u0000f\u0000-\u00001\u00001\u0000d\u00000\u0000-\u00009\u00004\u0000f\u00002\u0000-\u00000\u00000\u0000a\u00000\u0000c\u00009\u00001\u0000e\u0000f\u0000b\u00008\u0000b\u0000}\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000{\u00003\u0000e\u0000b\u0000d\u00002\u00007\u00004\u00005\u0000-\u0000e\u00005\u00006\u00009\u0000-\u00001\u00001\u0000e\u00007\u0000-\u0000b\u00003\u00008\u00002\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000N\u0000T\u0000F\u0000S\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u0000\u0000"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000224","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000220","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000220","key_name":"","reg_type":4,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Generation","value":1},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\","volume_path_name":""},"category":"file","flags":{},"last_error":234,"nt_status":-2147483643,"return_value":0,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\","volume_path_name":"C:\\"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\","volume_path_name":""},"category":"file","flags":{},"last_error":234,"nt_status":-2147483643,"return_value":0,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\","volume_path_name":"D:\\"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{3ebd2744-e569-11e7-b382-806e6f6e6963}\\","volume_path_name":""},"category":"file","flags":{},"last_error":234,"nt_status":-2147483643,"return_value":0,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{3ebd2744-e569-11e7-b382-806e6f6e6963}\\","volume_path_name":""},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\","volume_path_name":""},"category":"file","flags":{},"last_error":234,"nt_status":-2147483643,"return_value":0,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\","volume_path_name":"C:\\"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7401e5a5","function_name":"","module":"comctl32","module_address":"0x73ff0000","ordinal":386},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrUnloadDll","arguments":{"library":"Shell32","module_address":"0x76050000"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"CreateProcessInternalW","arguments":{"command_line":"\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"","creation_flags":67634192,"current_directory":"C:\\Users\\mes-vms\\AppData\\Local\\Temp","filepath":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","filepath_r":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","inherit_handles":0,"process_handle":"0x000001e0","process_identifier":1952,"stack_pivoted":0,"thread_handle":"0x000001ec","thread_identifier":2524,"track":1},"category":"process","flags":{"creation_flags":"CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT"},"return_value":1,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"ShellExecuteExW","arguments":{"filepath":"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974","filepath_r":"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974","parameters":"","show_type":10},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"RegCloseKey","arguments":{"key_handle":"0x000001da"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x758eead9","function_name":"OleUninitialize","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"ShellExecuteExW","arguments":{"filepath":"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974","filepath_r":"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974","parameters":"","show_type":10},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2628,"time":1606943649.677626},{"api":"CoUninitialize","arguments":{},"category":"ole","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"LdrUnloadDll","arguments":{"library":"Shell32","module_address":"0x76050000"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"NtClose","arguments":{"handle":"0x0000011c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"NtClose","arguments":{"handle":"0x00000120"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"NtDelayExecution","arguments":{"milliseconds":3000,"skipped":0},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"CreateThread","arguments":{"flags":0,"function_address":"0x75b712e5","parameter":"0x00922640","stack_size":262144,"thread_identifier":3020},"category":"process","flags":{},"return_value":292,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x02570000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":704512,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":3020,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":8192,"base_address":"0x10000000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":753664,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x10000000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":753664,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x10000000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x10001000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x1000b000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":704512,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x100b7000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrLoadDll","arguments":{"basename":"KERNEL32","flags":0,"module_address":"0x757c0000","module_name":"KERNEL32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d4977","function_name":"LoadLibraryA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1222","function_name":"GetProcAddress","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d42ff","function_name":"VirtualProtect","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1826","function_name":"VirtualAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d183e","function_name":"VirtualFree","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrLoadDll","arguments":{"basename":"msvcrt","flags":0,"module_address":"0x75b60000","module_name":"msvcrt.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69894","function_name":"free","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x10001000","heap_dep_bypass":1,"length":40960,"process_handle":"0xffffffff","process_identifier":2976,"protection":64,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x1000b000","heap_dep_bypass":1,"length":704512,"process_handle":"0xffffffff","process_identifier":2976,"protection":64,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x100b7000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrLoadDll","arguments":{"basename":"KERNEL32","flags":0,"module_address":"0x757c0000","module_name":"KERNEL32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d4977","function_name":"LoadLibraryA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1245","function_name":"GetModuleHandleA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d17d9","function_name":"GetCurrentProcess","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1454","function_name":"InterlockedCompareExchange","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1432","function_name":"InterlockedExchange","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1222","function_name":"GetProcAddress","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d11f8","function_name":"GetCurrentProcessId","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d11c0","function_name":"GetLastError","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757ed7ea","function_name":"TerminateProcess","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d10ff","function_name":"Sleep","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1420","function_name":"GetCurrentThreadId","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d110c","function_name":"GetTickCount","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d16f5","function_name":"QueryPerformanceCounter","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d8769","function_name":"SetUnhandledExceptionFilter","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f770f","function_name":"UnhandledExceptionFilter","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757fd1f3","function_name":"RtlUnwind","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757fb2af","function_name":"OutputDebugStringA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d34a9","function_name":"GetSystemTimeAsFileTime","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrLoadDll","arguments":{"basename":"msvcrt","flags":0,"module_address":"0x75b60000","module_name":"msvcrt.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6de4a","function_name":"strstr","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6dbae","function_name":"strrchr","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b9031d","function_name":"_time64","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69894","function_name":"free","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69cee","function_name":"malloc","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb57a5","function_name":"?what@exception@@UBEPBDXZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b714e3","function_name":"??1exception@@UAE@XZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b714f9","function_name":"??0exception@@QAE@XZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb56cd","function_name":"??0exception@@QAE@ABV0@@Z","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b7132e","function_name":"_beginthreadex","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b83557","function_name":"_CxxThrowException","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bbbf99","function_name":"_callnewh","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69790","function_name":"memset","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69910","function_name":"memcpy","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6a42d","function_name":"_unlock","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f509","function_name":"__dllonexit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6a449","function_name":"_lock","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b7112d","function_name":"_onexit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb92bb","function_name":"??1type_info@@UAE@XZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b8dc75","function_name":"_XcptFilter","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6c151","function_name":"_initterm","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bcb30f","function_name":"_amsg_exit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f76e","function_name":"isleadbyte","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c02900","function_name":"_iob","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b8fa7c","function_name":"_snprintf","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b84218","function_name":"_itoa","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb22bf","function_name":"wctomb","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c03210","function_name":"__badioinfo","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c00500","function_name":"__pioinfo","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6ac15","function_name":"_fileno","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b74303","function_name":"_lseeki64","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b74078","function_name":"_write","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f383","function_name":"_isatty","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b7ca0b","function_name":"_strlwr","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6a5b8","function_name":"_errno","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b83495","function_name":"__CxxFrameHandler","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x10000000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x10000000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x02570000","free_type":32768,"process_handle":"0xffffffff","process_identifier":2976,"size":704512},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"Kernel32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d13e0","function_name":"CloseHandle","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d5366","function_name":"CreateFileA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1072","function_name":"CreateProcessA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f733f","function_name":"CreateToolhelp32Snapshot","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d53e4","function_name":"DeleteFileA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757e107d","function_name":"GetNativeSystemInfo","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f2754","function_name":"GetTempPathA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779ee0c6","function_name":"HeapAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1499","function_name":"HeapFree","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779fc7ac","function_name":"HeapReAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75856459","function_name":"Module32First","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75856542","function_name":"Module32Next","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757fccf1","function_name":"MoveFileExA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1956","function_name":"OpenProcess","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f8ad3","function_name":"Process32First","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f882a","function_name":"Process32Next","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757eecbb","function_name":"SetFileAttributesA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1136","function_name":"WaitForSingleObject","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1282","function_name":"WriteFile","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1826","function_name":"VirtualAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d183e","function_name":"VirtualFree","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x75e10000","module_name":"Advapi32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e240de","function_name":"AdjustTokenPrivileges","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e53384","function_name":"ChangeServiceConfig2A","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e533a4","function_name":"ChangeServiceConfigA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e235e4","function_name":"CloseServiceHandle","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e53414","function_name":"CreateServiceA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e23f9a","function_name":"LookupPrivilegeValueA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24254","function_name":"OpenProcessToken","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e22b20","function_name":"OpenSCManagerA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e22b38","function_name":"OpenServiceA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1790c","function_name":"QueryServiceStatusEx","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e245ed","function_name":"RegCloseKey","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e213b1","function_name":"RegCreateKeyExA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e2485b","function_name":"RegOpenKeyExA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24843","function_name":"RegQueryValueExA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1b254","function_name":"RegSetKeySecurity","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e213fb","function_name":"RegSetValueExA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e537ff","function_name":"StartServiceA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"OpenSCManagerA","arguments":{"database_name":"","desired_access":983103,"machine_name":""},"category":"services","flags":{},"return_value":7204320,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"OpenServiceA","arguments":{"desired_access":5,"service_handle":"0x00000000","service_manager_handle":"0x006dede0","service_name":"WindowsClientServerRunTimeSubsystem"},"category":"services","flags":{},"last_error":1060,"nt_status":0,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.630626},{"api":"CreateServiceA","arguments":{"desired_access":983551,"display_name":"Windows Client Server Runtime Subsystem","error_control":0,"filepath":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\%SystemRoot%\\system32\\svchost.exe -k Wcsrss","filepath_r":"%SystemRoot%\\system32\\svchost.exe -k Wcsrss","password":"","service_handle":"0x006deca0","service_manager_handle":"0x006dede0","service_name":"WindowsClientServerRunTimeSubsystem","service_start_name":"","service_type":16,"start_type":2},"category":"services","flags":{},"return_value":7204000,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\Select","regkey_r":"SYSTEM\\Select"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current","regkey_r":"Current","value":1},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\LastKnownGood","regkey_r":"LastKnownGood","value":2},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCreateKeyExA","arguments":{"access":"0x00000006","base_handle":"0x80000002","class":"","disposition":0,"key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Description","regkey_r":"Description","value":"This service manages client to server coordination in the local system."},"category":"registry","flags":{"reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\DisplayName","regkey_r":"DisplayName","value":"Windows Client Server Runtime Subsystem"},"category":"registry","flags":{"reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":2,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ImagePath","regkey_r":"ImagePath","value":"%SystemRoot%\\system32\\svchost.exe -k Wcsrss\u0000\u0000"},"category":"registry","flags":{"reg_type":"REG_EXPAND_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ObjectName","regkey_r":"ObjectName","value":"LocalSystem"},"category":"registry","flags":{"reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ErrorControl","regkey_r":"ErrorControl","value":0},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"GetNativeSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\WOW64","regkey_r":"WOW64","value":1},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Start","regkey_r":"Start","value":2},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Type","regkey_r":"Type","value":16},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x0000011c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x0000011c","reg_type":3,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","regkey_r":"FailureActions","value":"<INVALID POINTER>"},"category":"registry","flags":{"reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x0000011c","reg_type":3,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","regkey_r":"FailureActions","value":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000"},"category":"registry","flags":{"reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":3,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","regkey_r":"FailureActions","value":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000"},"category":"registry","flags":{"reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000011c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCreateKeyExA","arguments":{"access":"0x40000000","base_handle":"0x00000120","class":"","disposition":1,"key_handle":"0x0000011c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","regkey_r":"Parameters"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x0000011c","reg_type":2,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","regkey_r":"ServiceDll","value":"%SystemRoot%\\csrss.dll\u0000\u0000"},"category":"registry","flags":{"reg_type":"REG_EXPAND_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000011c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000006","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\WOW64","regkey_r":"WOW64","value":1},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCreateKeyExA","arguments":{"access":"0x40000000","base_handle":"0x00000120","class":"","disposition":1,"key_handle":"0x0000011c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","regkey_r":"Parameters"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x0000011c","reg_type":2,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","regkey_r":"ServiceDll","value":"%SystemRoot%\\csrss.dll"},"category":"registry","flags":{"reg_type":"REG_EXPAND_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000011c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000006","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\WOW64","regkey_r":"WOW64","value":1},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCreateKeyExA","arguments":{"access":"0x40000000","base_handle":"0x00000120","class":"","disposition":2,"key_handle":"0x0000011c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","regkey_r":"Parameters"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x0000011c","reg_type":2,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","regkey_r":"ServiceDll","value":"%SystemRoot%\\csrss.dll"},"category":"registry","flags":{"reg_type":"REG_EXPAND_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000011c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000002","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost","regkey_r":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":7,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\Wcsrss","regkey_r":"Wcsrss","value":"WindowsClientServerRunTimeSubsystem\u0000\u0000"},"category":"registry","flags":{"reg_type":"REG_MULTI_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeSecurityPrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"NtClose","arguments":{"handle":"0x00000120"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeRestorePrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"NtClose","arguments":{"handle":"0x00000120"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeTakeOwnershipPrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"NtClose","arguments":{"handle":"0x00000120"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x01040000","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00080000","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x01040000","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00080000","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"kernel32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f9796","function_name":"GetSystemWindowsDirectoryA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"GetSystemWindowsDirectoryA","arguments":{"dirpath":"\u0000GetSystemW"},"category":"file","flags":{},"return_value":11,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"GetSystemWindowsDirectoryA","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"SetFileAttributesW","arguments":{"file_attributes":128,"filepath":"c:\\Windows\\csrss.exe","filepath_r":"c:\\windows\\csrss.exe"},"category":"file","flags":{"file_attributes":"FILE_ATTRIBUTE_NORMAL"},"last_error":2,"nt_status":-1073741772,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.646626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"kernel32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f9796","function_name":"GetSystemWindowsDirectoryA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"GetSystemWindowsDirectoryA","arguments":{"dirpath":"\u0000GetSystemW"},"category":"file","flags":{},"return_value":11,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"GetSystemWindowsDirectoryA","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"SetFileAttributesW","arguments":{"file_attributes":128,"filepath":"c:\\Windows\\csrss.dll","filepath_r":"c:\\windows\\csrss.dll"},"category":"file","flags":{"file_attributes":"FILE_ATTRIBUTE_NORMAL"},"last_error":2,"nt_status":-1073741772,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.646626},{"api":"NtCreateFile","arguments":{"create_disposition":5,"create_options":96,"desired_access":"0x40100080","file_attributes":6,"file_handle":"0x00000120","filepath":"c:\\Windows\\csrss.dll","filepath_r":"\\??\\c:\\windows\\csrss.dll","share_access":1,"status_info":2},"category":"file","flags":{"create_disposition":"FILE_OVERWRITE_IF","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE","file_attributes":"FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM","share_access":"FILE_SHARE_READ","status_info":"FILE_CREATED"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"CreateThread","arguments":{"flags":0,"function_address":"0x75b712e5","parameter":"0x00922640","stack_size":0,"thread_identifier":1980},"category":"process","flags":{},"return_value":284,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x02570000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":671744,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":1980,"time":1606943652.646626},{"api":"NtWriteFile","arguments":{"buffer":"MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0001\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u007fP\u00ea\u00f0;1\u0084\u00a3;1\u0084\u00a3;1\u0084\u00a3(9\u00ed\u00a391\u0084\u00a32I\u0011\u00a3=1\u0084\u00a32I\u0017\u00a391\u0084\u00a32I\u0007\u00a3\u00061\u0084\u00a3%c\u0000\u00a381\u0084\u00a3\u00f8>\u00d9\u00a3>1\u0084\u00a3;1\u0085\u00a3D1\u0084\u00a32I\u0000\u00a3*1\u0084\u00a3\u001c\u00f7\u00fa\u00a3:1\u0084\u00a3 \u00ac+\u00a341\u0084\u00a3 \u00ac\u001f\u00a3:1\u0084\u00a3 \u00ac\u0019\u00a3:1\u0084\u00a3Rich;1\u0084\u00a3\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0003\u0000\u001f\u00e7}8\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0002!\u000b\u0001\n\u0000\u0000@\n\u0000\u0000\u0010\u0000\u0000\u0000\u00a0\u0000\u0000\u00b0\u00d8\n\u0000\u0000\u00b0\u0000\u0000\u0000\u00f0\n\u0000\u0000\u0000\u0000\u0010\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000b\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000@\u0001\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u00c8\u00f0\n\u0000\u0084\u0000\u0000\u0000\u0000\u00f0\n\u0000\u00c8\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000L\u00f1\n\u0000\u0018\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a0\u00e4\n\u0000H\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000<t\n\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000UPX0\u0000\u0000\u0000\u0000\u0000\u00a0\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000\u00e0UPX1\u0000\u0000\u0000\u0000\u0000@\n\u0000\u0000\u00b0\u0000\u0000\u00006\n\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0UPX2\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u00f0\n\u0000\u0000\u0002\u0000\u0000\u0000:\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00003.91\u0000UPX!\r\t\u000e\nhX\u00d7\u00e7\u00f5p\u00f9\u00ae\u00e0\u00bc\n\u0000\u00a3(\n\u0000\u0000\u0086\n\u0000I\u0001\u0000:\u001a\u0003\u00004\u0000,\b\u00d1\u00fb\u0088\u00edfs\u0090\u00de?\u0015\u00b7\u00f0\u008e\u0016\u00fc\u00cd\u000eB3\u000f-j\u00a6\u00c4\u00ec\u00bc\u0006\u00fa\\7\u00fbA\u008c\u0099\u0016\u0094\u00dfG\u0005\u0095\u00e2\u00d4o4E\u008e\u00fd\u0016r\u00d8 H\u00e8\u00a2\u00ea*\u001e\u00dd.\"\u000e\u0088\u0085\u00131\u00ef\u00b6\u0001j|\u00bd\u00a2\u00a9\u00be\u00d6\u00ba{3\u0018\f\u00a9\u00f4\u00c5\u00e3\u00d8\u00cf\u00b5+\u0011\u0097\u00e9\u0016\u0082u\u00d5\r\u0090>\u00ae$\u00e4\u0084f!\u00ecP\u00b3\u00b3\u00dao \u0086\u0099@\u00de8'\u00a6c\u00f0\f\u008c\u00a5\u00d4\u001fr\u0087\u00b7-+x\u008aF\u00aa\f\u00a0\u00cbz<\u00ca7\u0003\u00bf\u00f0Fs&s\u00bfJ\u0000J\u0094N\u00d1\u00df\u00bc\u00a1\u0093\u00d5\u0094<\u0094\u00a3'>&\u0014Oa`\u0012C\u0013\u008b\u0087\u0006\u00cf\u00aa\u00fe8c\u00dbQ\u00ad\u009a-%B:G\u00ef\u0083\u00b9F\u00fd\u0080\u0017Z\u00a7Ko\u00a5\u0084\u00f0v\u0094\u00c1\u0017\u00c4\u0015X\u00b8L\u00b11\u0087\u00dd'X'\u00cd:\u00bb\\O\t\u00e9\u0083\u00ea\u00b9\u008a\u00ae\u00dc\u00be\u0018$wQ@{\u00a4\u00e2\u0098\u0019@\u0015\u00b7r\u00f3\u00f3\u00ae\u00b9\"uj\u00a4i\u00fe\u00817:\u00c7\u007f=p\u00f6\u0001\u00f5qK\u00ecx\u00aa\u00fcsR\u0017y\u001f\u00b0\u00ff\u00c7!\u0094\u00c6\u00e2\u00e0\u0014l\u0012\u00da\u0000v\u001b\u000b\u0015R!T\u008dG\u00ff\u00c319\u0093\u00c5n\u0013\u00a9\u00d5l\u008e\u008e\u0086U[\u0086\u00f1\f\u00b8\u0016\u00aeN\u0006 -\u00ef\u00a8\u00ea\u000fi\u00cd?\u00bc\u001a\u00b7F]\u001e\u00e1\u00e1\u00e2\u00a8\u00f7E\u00e3\u00c53\u00b9b\u0012\u00cf\u00f4J\u009f\u0013]\u00c6.\u00ffc\u0013\u008cAn2\u0007\u0088\u00e1\u00f4n!0\u00e10z\u00ab\f\u0001/\u00a2\u0087bu\u00b6\u00d3WN\u00c9\u008b\u00d8\u001f7Qh\u00e2\u000bk\u00e8VS])\u0007\u00e6H\u0004\u00a4\u0014p\u00a6\u00b3P\u00b7\u00cb\u00f0O\u0001\u00e6M\u007fL\u00a4-\u0019\u0012\u001eN\u009e\fa\u00c25\u0002\u00e4=e\u00e8\u00deJ\u001aM\u00e8;,\u00e2@26M&J\u00d7\u00b7\u00d6\u0085\u009f\u00bb\u00b0\u0098\u00b8c\u001d\u00a1E\u00e3\u00dfW\u00e5yP\u00e3\u00ec\u00fc\u007fu\u0004\u00bc`)\u00eb\u00f8\u00a8\u0093^\u0088\u00ac\u00bc!\u00f3\u0019\f\u0011P8ZI\u00e4/U\u00ef\u0099\t\u00c0\u00e4v\u0001\u0086JU\u00a8\u00f6Y\u0090\u0084\u0016+\u00ebZ\u00a7'^Z{\u00ed\u001eT\u00d4\u0083\u0081\u00d0\u00ec\u00d2\u0098\u00aaL\u00c9\u00aa\u0083X\u00cfT\t'\u00c7\u00d9\u0013[\u0093F\u00be/\u00e3\u00c4\u00d85\u00beR\u00a1\u00ec\u00c3\u0019wEu\u00bb\u00b4(\u00d0\u00a0\u0095_\u00d0u\u00fd\u00f5\u001e\u00c1\u0003eX\u00bd\u00925\u0003\u0089\u00c5\u00aa9\u0007P\u008c\u0015\u00e8\u00ea\u00a8U-\u0010\u00c2\u00c3\u001c\u00c3\u00a3\u00df\u00ef\u0014\u009c*\u0001u\u0001\u00e0\u00b3wd\u0012\u00f5]'\u0002\u00f0\u00bbV\"\u009e\u009d\u00e6\u009b\u0012\u0019\u0013<:]\u001c\u00c4\u00cf\u00d9\u00ed\u00d1j\u0081\u0003\u00adZ&`$\u009f\u00b2*\u00a10\u00f3\u00d97\u00b7\u00bc\u00f9\f\u0014+M\u0011l\u00b32\u00d4\u0010\u00c9V\u00ce\u00f2\u00abO\u00caNx\u008b\u00ac1A\u00e9OxQ\u00df\u0016\u00af\u00c7O*\u00df\u00e1\u0080\u00fa\u0098\u0096(2&\u00a4\u00b0\u00f102\\\u0019\u0013li\u00eax\u008c\\C\u0094\u00ef\u00a8\u00a4\u00b1b|r\u00b9\u00f9\u00aa7\u00c9)\u00c5m\u00e6\u00a9\u00c9c\u0010\u00fbj\u00f5\u009d\u00b9\n\u00e4\u001a\u00f6\u0019\u00ae\u0091\u00a5\u00ef{R\u00e4\u00b7J\u00c7-\u0089\u00b3\u00b4pq\u00ddw\u00b68\u00ea\u009a\u0087k\u008ck\"X\u00bcoAwU\u00f6x\u0007[/\u00da\u00f5s\u00a0\b\u0090\u00d3\u0003\u00de\u0086\u00c1\u0084\u00c7\u00010\\\u00db\u009a\u00c1F{W;\u0006n\u00b4\f\u0012\u00fb\u00c0d\u00f3\u0018\u00e0ho\u00d3\u00ceA\u00b8\u0098\u00b7\u001c\u00ca\u008a2`.\u00f2\u00d0;\u0095/\u0015Q\u009eX\u009d|\u00eb\u0018Fs\u00f8\u00aa;\u00ae\u001c\u0011K\u00f9\u000f\u007f+\rM\u001f`\u009a\u00e2#\u00ca\u00b1\u00d3\u0094#\u0003^\u00ae\u00ce\u00f4e\u0090\u00b2\u00e6y\u0011\u00151\u00c3\n\u0011\u00ac\u008a\u00d4\u00ccM\u001bdd\u0082t\u0013\u00f5@\u00ddB\u0083Z\u001bs8F\u00b53\u00e4\u0017\u00ff\u00ab\u00c0-\u00d3!\u0088\u001cb\u001f\u001c_\u0089I|Q\u00b2\u0092\u00ddI*\u008f\u00af\u000e\u001f\u008f\u00ff8\u009c\u00d6\u00dc\u00b1\u0087l\u00c8\u007f\u0089p\u0099Ot\u00bf4\u00a5C\u00e9\u00a9p\u0089\u00ee\u0017\u0013\"\u0018M\u00e4\u00d4HC\u0015H\u00f6lj\u0017v;5\u00d1\u008e:\u001e_\u00ca\u00f2\u0093c\u00ff\u0014\u00d3\u00acf\u00e7\u00c5-\u0018\u00d3\u0097\u0002P\u00ef\u00a5^\u0098\u000ec\u00fb\u0083R\u00efF|\u00adix(\u00d2B\u00ed\u00a4\u00d0\u00b7\u00d0\u00bf\u0089^6\u0011\u009c\u0087\u00f15\u0016~k\u001bD\u0097\u0014\u0015\u00ab7\u0088\u00b5\u00f5\u008f\u00e1\u0080T>\u00de\u008d\u00e6+\u00e0x/\u009f\u009f\u0083'\"\u00e6_|\u00ef\u00c2\u0080\u00b7M('\u00b1\u0003\u001e\u0081\r\u00e6\u008f@CG\u00c3^2\u00a9\\\u00d3!\u00dd2$f\u008d\u00ca.\u00871k\u00f7\\.\u00a9rY\u00b7\u0097i\u00e1E\u0084\u008dVb{\u0095*^x\u009eQ\u00e0(\u00f6\u0015b%_\u0096KNs\r\u0091\u0097\u00ef\u00eb}/\u00d5L\u00c5c\u0081U\u0018e&+\u00f60\u00de\u0095$\u00fd /\u00e3\u0085\u0088)/\u00d1c\u00c2\u00a2PEi=qY\u00c8\u008f\f\u00a0\u0082\u0084\u00c3\u00cb\nj\u00b0)r\u00f2\u0092\u00fd\u00f3\u00de\f\u00a0Y\u00e3d0S\u00f1b\u008a\u00c6\u008c\u00c3\u00cf\u00b9M\u0086\u00d63(K<\u00d8a[8\u0016\u00dc+Ja\u00ff\u00d4\"\u0003.AT\u0011f\u00c4\u00afsS\u008b\u00e4C*\u00bc\u00fe\u00bb\u00a1\u001a\u0087_p9U?\u00da}R\u00cc\u009a\u008cr\no\u0084\u00a3\n\u0090\u00e1\u00ad\r\u001dwk\u0000\u00e5_|)\u0083V>\u00ac\u0081N\u00e8\u00ca\u000e\u008f\u00b3\u00d6l\u00fcl1\u001b\u0011\u00c5\u0013\u0007s\u00fd\u00e0z\u00b2\u00ee\u001c5=\u00b5.;\u00ee\u00b1\u001d\u0098\u008d\u00f5_\u00f9\u0087&\u009e?.\u0087\u00d1\u00e5\u0091\u00fb\u0096g\u001fcu;\u00fe\u00fev\u0018PUGe\u00c6\u008f+\u0081\u00b8>\u00d3\u009a\u00a8\u007f\u00bfGD\u00c0\u00ed\u00af\u00bb\u00f0Y\u0005\u00b9\u0016\u009d_\u0080\u00c6j^\u00f8x\u00d8h\u0017|b\u00c7?\u0086!\u0082M\u00afj\u00c7\u00d0\u00e9b\u0007\u00eb\u00b3]\u009e\u009cK\u00d9\b%\u0097\u00d5\u00b5\u00df\u00af\u00e4\u0095\u00f1z\u00e7\u0099\u00b1]\u00fae%\u00e1\u00a3\u0011=}]lA[a \u009c\u00a5\u00cd\u00ab\u00f1 \u00e2\u009b\u0001\u00df\u001a;tm\u00e9~\u0085\u00a2\u00f1\u009f\u00f91\u00d8\u00d2\u00d9\u001a\f\u009aC\u00b0R\u0084|f\u000f\u0099\u00bd\u00e3\u00ef\u00da\u001bA\u00f2\u00ed\u00e5\u0015B\u0011u\u00ae\u00ae\u00ae\u00f2\u00f1a@.>\u0013\u0098\u00ffy)\u009e\u0001\u00a8^\"\u00df\u00e13\u00d6\tl\u00e59X\u00ac\u0096\u0090\u00df\u0013\u0084\u00db\u008eX\u00dd\u00c2\u00f8\u00edr,\u00ea[&\u00e6A\u00cb0\u0006\u00a5\u00c1$\u00a2B\u0002?z\u00e7\u00c7\u0013\u00c1C!\u009d\u00d9\rRU\u0019\u009c-\u00b6\u00bfDs\u00a0\u0093YE\u00c4\u00f6\u00e8T,f\u00cf4\u000b\u00f4\u00b5\u00fb\u00ce\u0002a\u00a8\u009bS\u0097\u001b\u00cb9:\u00e2\u00bf\u0089\u00fcG\u00b0sssyNx\u00f7\u0088u\u00c8\u00cc\u00d2\u00f7\u0092\u00d2\u00b3\u009e\u009a\u00f2c\u00ff\fl\u0099\u0011\u00f0\u00ed~hY)\u00bfr\u00d9\u0006\u00ac\u00daU\u0004\u00d0o\u00f0H\u00fd\u0003\u0010k\u0002S]k_o\u009c\u0087\u001a\u00c0\u00e0\u00f4E\u00a5\u00bd\u00b6D\u000e\u00ee\u00f9*\u0081+L4\u00058\u00c1\u00db9i\u008f\u00b9R}\u00c1\u00c8\u00a1\u0081\u00b0r\u0003z`H\u00d9\u00ca\u00f7}0\u00b2+Y\u00bd\u00dd\u008at\u009e\u001d\u00fd@\u00b7\u00de\u0082\u00c7\u00fe\u0000 \u00edb\u00a0>f\u00c9\u00eb&DGD\u0083i\u00cf9O\u001b\u001d\u0004&|g\u00d1\u00bb\u00dc\u00b5>b0p\u00d6A\u0083\u00ea\u009a\u00a4\u0092)\u008e&\u00ca8w\u00d9-\u00aerz\u0003\u0018\u00d7\u009e\"\u0013v\u00e6c=\u009c0\u00c4:\u00b5\u0089|\u0093q.\u0017\u00f2\u0000\u00c6\u00a9`\u00e0-\u0017\u00c32\u000e\u0016\u00d8t\u00cd\u00c0=\u001a\u00b0\u0093\u0081\u00c5e\u00c0\u00d5x\u00e3\u0019\u00839\u0015\u00c0\u001f\u0005\u00b0\u00d4\u00d5\u0097\u00ec\u00c7\u00af\rIknKK\u0083Wo\u008c:\t`\u00ae\u00db\u00f2j*\u009b]\u009b\u00c8\u008c\u0018(C+\u00cc/\u00cd\u0016\u0083S,\u00d5\u00f3c\u0018\u0007c9\u0002\u0011\u00eb\u00d7/9(\r\u00acU_\u001a\u00db\u00904r\u0000R\u00f2\u0019+\u00f8\u00ee\u0016\u00f2\u001d\u00e0\u0097\u00c2*]\u00d9sv\u001b\u0096\u0099\u009a\u0095\u00c6\u00df]\u00a5\u00a1R\u0017}\u00882\u0016~3a$\u00d8\u00dd\u00f8\u00ed\f\u00edO\u0088\u00ebx\u00f2\u00ce\u00bds\u00d5\u00ba5\u00e5\u00ba\u00c6\u0016!\b\u00de\u00e0\u00b0\u00ce\u00fb\u00e9\u00e4\u00a1\u00f9\u0012\u00a0\u0091\u00e1\u00aa\u0018}\u00f5\u0018 \u00c4\u00fc1\u00f1ti\r\u00b1w\u00830\u008f\u00a8\u0086\u00e10P\u00e4\u0088\u00dc\u00c0.,-\u008f^\u00b8/\u0013\u00ee\u0094!y\u00c3\u00d2\u008e\u00ab\u00ff7L\u00ef\u00c7\u00af\u0014\u00d0\u00e8\u00f0u\u00de\u0092`\u0007a\u0091v\u00c2\u00a64\u0098\u00c9y\u008e\u00cf\u00bf4^\u00908\u00dd>Hm\u00c2\u00a2\u0091K\u0004;}\u0006\u0095+>.\u0012E\u00d7[\u0095\u00ea&\u00e9\u0004\u00b4\u00c3\u00ba'\u001f\u00a5A\u00edQ-n\u00ee\u0098d\u00a6\u00b9vd\u00e1\u0082\u008f\u00daC\u00f6&m\u00b9\u00ff\u00e5\u00ea:\u00ca\u001e]\u00cf8V\u00fe\u0019\u00a3\u0096\u00ccv\u00d3\u00e4\b,\u00e1\u009dM\u0094l\u00146&\u001bH4d\\K\u00b6A\u00ff\u001d\b\u0097>\u00b3\u0001\u0087\u00a0{\u0017qr\u00f9\u0007HY\f\u00db\u00df\u00e2\u009e\u00aa(/a7M\u00d7H\u0007\u00cb\u00c3Yo\u0081;L\u009b7\u00be\u00fc\u009c<\u00ec\u00cb\u00fa\u00d3<>n\u00d8.L\u000ej\u0097D&\u00a4C`H\u0085\u00b0?1\nR>\u0010\u00daVstoUbO:\u00dd\u001a\u009a\u00b3%HA\u00ce\u0014\u00a9O\u00b7\u00d6\u00b6\u00da71\u00b0v\b.\u00e3g\u00b4\u001c\u00bar\u00f43\u009dl\u009d\u00a3\u00d1\u00d5\u00c5\u0004C\\\u0083 ft\u00d9E\u0083U,%\u00c5P\u0084\u00e5E\t\u00ec\u000e\u0004\u00e0$\u00a9\u00ac\r7\u00a0\u00e1\u00b7jg\u0086\u00978 t>\u00d7\r\u0081\u00d1\u00ac\u008c\u00c33[}\u00c5\u00d2\u00fa\u00cbNb\u00e4U><o\u00af~\u00fdWhAK{^\u001aq\t\u0082G\u0013\u0004\u00b6\u000b\u00e5\u00f5<\u00ff\u00a39cV\u009d \u00de\u00e9\u00d2?\u0097\u00dca\u001fA=\u0000]\u00d98@\u00b8\u00e5\u000e\u00e7\u00ffZ\u0002\u00d5\u00f3A\u0004kw\u0091\u00eb\u00a0\u008b\u0012X\u00ccr\u00c2 \u001d\u00adv\u00d3 \u00eeWL\u00ee\u00b8\u00d3P\u0081\u0083\u00fb\u00b7\u00fa\u00a5\u00a1\u00cd\u00ab'~`/}\u0010\u00f3\u001f}\u00a3-;\u0086\u00f8\u00b8\u00d1rGF\u00ad\u00b5\u0010\u00b46\u00a2\u0000\u00b4\u00ef\u00f3\u00f3\u00a1\u00eb\u009c?\\\u008fl\u0001\u0099(\u00a1\u00ec\u00c0\u00df\u00fe\u00e4kh|\u0094\u00e1`|\u0081\u00cf_\u0013K\u009f\u0085g\u00b9l\u00ca\u001d\u00dd3\u0002\u00b1\u00d3\u0081\u007f\u00f2d\u001d\u00c3\u001d\u00cc\u0095ob\u00d5\u0001\u0098\u00a3d7\u00a7\u00cb\u0093\u0093\u0005o\u00b6\u00a7\u0096\u00e1\u00c5\u0091\u007f\u0090:\u00d2\u00dfX\u0092\u00e2\u0018\u00b6\u00c2$d\u00ce\u00ea\u00b8p\u00a0\u009d\u00aa\u0003\u00ec\u001bi\u00eeU\u00ae\u00b51\u0002N`Fa\u0092\u001a_\u00ad\u00b2.\u00d4<\u00cfs\u007fx\u00ceA>\u00a9\u00c8D\u000bu\u0081\u009f\u00b6\u0093\u0088\u00c1\u00fb\u00bb\u00b5\u00df6\u0089\u00b7\u00a7\u00ec&A\u0018\u00ab\u0094\u0019\u00e2\u0095\u00b6(\u008f\u00d4d\u00e0\u00bd@\u00b7\u00e8\u0081\u00f0|K\u00a5n\fG\u0096\u00b9l\u00cbK_\u00c8\u00cd\u0080{\u00f3\u00c6\u009dk\u009a\u00ce\u00d3\u009b\u00a4\t$\u007f|k\u00df\u00e7t\f\u0012\u00b4'\u0088\u00c1\u00ba\u00b3\u00cbGw\u0002\u00a1\u00c3\u00acE\u0090\u00e6\u00af\u00cb\u00bf\u00beW\u009d\u009d\u00fa\u00e5\u00e4\u00b3d.\bl\u0011\u0085\u00d4\u00afo\u00d2\u0015\u00d4\u008a\u0015\u00fb\u00d0\u0086R}o\u00fe7\u00faZ\u00a1^\u00d8`/n\u00c0\u0002\u008c\u00ea\u00e3\u00f5\u009f\u00d3E\u0012\u001b\u0098\u00ecIT\u00f1-\u00af\u00ca\u0090\u00c8\u00c0-z\u00f5\u00be\u00f7\u0087\u00af\u00f1Q\u0017\u00aa\u00f3(\u000f\u00e2\u008fp\u00a9\u00e5w2\\!qlQ\u0094B\u00c3:\u00e6\u008c\u0019\u008a\u00fb\u00fe\u0093\u00e0M\u00c8o\u0007;\u00d61\u00e2\u00ee\u00a4H\u00d0\u00ca\u0012Nb\u00bb\u00f8\u00c9R\u0092\u00da\u0083B9\u00d8\u00a6u\u00b7\u00ea\u0086\u0017\u00b1\u00cd)ss\u00b5Y\u00af\u0019'\u00ab\u00f6<7\u00a4^\u00ae\u00eel\u00b8y\n\u0014\u00cf\u00ecsk\u00af\u00fa\u0082J\u00bd\u001f\u008c7rd%\u00d1%9`\u0087g#\u001d\u0098\u0082i\u00f3\u00c3W\u0084q\u00e1\u00ec\u00cb+\u00d6\u0085\u008c\u00f6q\u00e2\u0091\u00f6\u001du\u001f\u00fc\u00e1\u00a8]\u0081\u00d2\u00eac#\u00d6\u0095}|\u008d\u00cd\u00db\u00aaEy\u00f1\u0098]\u00bf\u00c5\u001d\u008da\u00c8\u0012\u008e\u00a8\u0080]\u00fe>\u00910Sqo\u00fbC\u00913i\n\u00b2\th_\u0086b\u00b2\u0012\u00dfX\u001c\u0018\u0006\u0007d?\u00cb\u0013\f>\u0019C\u000bI\u00132'\u00db]9\u0082\u0088\u0097\u0080\u00ff\u0005\u00c6|w\u0003\u00e6\u000euE\u0000\u00ab<8\u008d\u00a5\u0094\u00ac\u00e7\u00ceo#\u00eazz\u00eb\u00e3\u00f2W\u00dbb\u0080\u009a\u00aa\u0014_\u00d1\u00ee\u001f\u0014\u00d2g\u00d85\u00d4\u00fc\u00ccIV\u0091\u0098\u00fe\u00edqC=\u00e6\u000er\u00ce\u00a3\u0014\u0018\u00e5|\u00b2o\u00d5\u00ac\u001f@\u0007\u00ad\u001bca\u008c\u0013\u00d2\u00da\u009c\u00fc\u008bp}mQ\u00e1\u008f\u00e7\u00f2\u00c5\u00f5\u00ac\u00e4$g\u00b7\u00bf\u0001m\u00d8\u00fa\u0006V\u00a0\u00990\u0083\u00ba\u00df\u009c\u00b5\u001cn^6\u00d9v\u00fc\u00aa\u00fc\u00aeP\u00be1\u00c5\u00d7 \u0084\u00e4@\\D-\u000b\u00ac\u00cf\u00d4i/\u001b7#\u00bbxo\u00b6I\u0012\u00d7P\u00e9\u00c0\u00dfL\rn\u00bf\u0081\u0083\u0000\u00a1\u00f1\u00b7\u00b9\u00ca\u00a5\u00f3%[\u009f\u00b4\u0018\u00d9\u00de\u0010","file_handle":"0x00000120","filepath":"C:\\Windows\\csrss.dll","offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"NtClose","arguments":{"handle":"0x00000120"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x02570000","free_type":32768,"process_handle":"0xffffffff","process_identifier":2976,"size":671744},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"OpenServiceA","arguments":{"desired_access":16,"service_handle":"0x006deca0","service_manager_handle":"0x006dede0","service_name":"WindowsClientServerRunTimeSubsystem"},"category":"services","flags":{},"return_value":7204000,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"StartServiceA","arguments":{"arguments":[],"service_handle":"0x006deca0","service_name":"WindowsClientServerRunTimeSubsystem"},"category":"services","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000140"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x742d36a0","function_name":"CryptReleaseContext","module":"CRYPTSP","module_address":"0x742d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"mscoree.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"mscoree.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626},{"api":"NtTerminateProcess","arguments":{"process_handle":"0x00000000","process_identifier":0,"status_code":"0x00000000"},"category":"process","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626},{"api":"NtTerminateProcess","arguments":{"process_handle":"0x00000000","process_identifier":0,"status_code":"0x00000000"},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000210"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000020c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000218"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000214"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000204"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000200"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001c0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001c4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000000"},"category":"system","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":3221225480,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000000"},"category":"system","flags":{},"last_error":6,"nt_status":-1073741816,"return_value":3221225480,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a191e2","function_name":"UnregisterTraceGuids","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001bc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001b8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001b0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001b4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001ac"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000174"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000194"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000198"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000019c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x000001a0"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x000001c8"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x000001cc"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x000001a4"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x000001a8"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x00660000","process_handle":"0xffffffff","process_identifier":2976,"region_size":28672},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000170"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000016c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00670000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00670000","free_type":32768,"process_handle":"0xffffffff","process_identifier":2976,"size":65536},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x00610000","process_handle":"0xffffffff","process_identifier":2976,"region_size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000164"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x004d0000","process_handle":"0xffffffff","process_identifier":2976,"region_size":8192},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000150"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000014c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000013c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrUnloadDll","arguments":{"library":"PROPSYS","module_address":"0x74190000"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a191e2","function_name":"UnregisterTraceGuids","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000138"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000114"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000128"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00727000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":65536},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0071e000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":16384},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x006f8000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":12288},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00709000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00712000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":8192},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0071a000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00702000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000084"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000050"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x740212b3","function_name":"","module":"comctl32","module_address":"0x73ff0000","ordinal":321},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00702000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00712000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0071a000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000007c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000070"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000074"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000078"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000080"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x00380000","process_handle":"0xffffffff","process_identifier":2976,"region_size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000108"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000158"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000006c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000068"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrUnloadDll","arguments":{"library":"IMM32","module_address":"0x75f10000"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020019","key_handle":"0x00000068","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000068","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741816,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000068"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000040"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000044"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000000b8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000038"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000003c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtTerminateProcess","arguments":{"process_handle":"0xffffffff","process_identifier":2976,"status_code":"0x00000000"},"category":"process","flags":{},"last_error":0,"nt_status":-1073741816,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626}],"command_line":"\"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe\" ","first_seen":1606943648.427626,"modules":[{"baseaddr":"0x3c0000","basename":"Win32.DarkTequila.exe","filepath":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe","imgsize":933888},{"baseaddr":"0x779c0000","basename":"ntdll.dll","filepath":"C:\\Windows\\SysWOW64\\ntdll.dll","imgsize":1572864},{"baseaddr":"0x757c0000","basename":"kernel32.dll","filepath":"C:\\Windows\\syswow64\\kernel32.dll","imgsize":1114112},{"baseaddr":"0x75c10000","basename":"KERNELBASE.dll","filepath":"C:\\Windows\\syswow64\\KERNELBASE.dll","imgsize":290816},{"baseaddr":"0x75b60000","basename":"msvcrt.dll","filepath":"C:\\Windows\\syswow64\\msvcrt.dll","imgsize":704512},{"baseaddr":"0x742f0000","basename":"monitor-x86.dll","filepath":"C:\\tmpcaygsr\\bin\\monitor-x86.dll","imgsize":2117632}],"pid":2976,"ppid":3028,"process_name":"Win32.DarkTequila.exe","process_path":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe","tid":2868,"time":0,"track":true,"type":"process"},{"calls":[{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x000007fef4e70000","module_name":"api-ms-win-core-synch-l1-2-0.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x0000000077814320","function_name":"InitializeConditionVariable","module":"api-ms-win-core-synch-l1-2-0","module_address":"0x000007fef4e70000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000000007760b6d0","function_name":"SleepConditionVariableCS","module":"api-ms-win-core-synch-l1-2-0","module_address":"0x000007fef4e70000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x00000000777feea0","function_name":"WakeAllConditionVariable","module":"api-ms-win-core-synch-l1-2-0","module_address":"0x000007fef4e70000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"SetUnhandledExceptionFilter","arguments":{},"category":"exception","flags":{},"last_error":0,"nt_status":-1073741515,"return_value":0,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.38402},{"api":"GetSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x0000000000e50000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":1048576,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0000000000e50000","free_type":32768,"process_handle":"0xffffffffffffffff","process_identifier":1952,"size":1048576},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x0000000000e50000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":2093056,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0000000000e50000","free_type":32768,"process_handle":"0xffffffffffffffff","process_identifier":1952,"size":2093056},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x0000000000f00000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":1048576,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0000000000f01000","free_type":16384,"process_handle":"0xffffffffffffffff","process_identifier":1952,"size":1044480},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x0000000001000000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":1048576,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0000000001002000","free_type":16384,"process_handle":"0xffffffffffffffff","process_identifier":1952,"size":1040384},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000001002000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000001003000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000001004000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000001006000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":57344,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000001014000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtOpenProcess","arguments":{"desired_access":"0x00001000","process_handle":"0x0000000000000050","process_identifier":2976},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtOpenFile","arguments":{"desired_access":"0x00100080","file_handle":"0x0000000000000054","filepath":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe","filepath_r":"\\Device\\HarddiskVolume2\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe","open_options":16416,"share_access":7,"status_info":1},"category":"file","flags":{"desired_access":"FILE_READ_ATTRIBUTES","open_options":"FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"GetFileInformationByHandle","arguments":{"file_handle":"0x0000000000000054"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"NtClose","arguments":{"handle":"0x0000000000000054"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":16416,"desired_access":"0x00100080","file_attributes":0,"file_handle":"0x0000000000000054","filepath":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","filepath_r":"\\??\\C:\\Program Files\\Mozilla Firefox\\firefox.exe","share_access":7,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"GetFileInformationByHandle","arguments":{"file_handle":"0x0000000000000054"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"NtClose","arguments":{"handle":"0x0000000000000054"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"NtClose","arguments":{"handle":"0x0000000000000050"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"RegCreateKeyExW","arguments":{"access":"0x000f003f","base_handle":"0xffffffff80000001","class":"","disposition":2,"key_handle":"0x0000000000000054","options":0,"regkey":"HKEY_CURRENT_USER\\SOFTWARE\\Mozilla\\Firefox\\Launcher","regkey_r":"SOFTWARE\\Mozilla\\Firefox\\Launcher"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x0000000000000054","reg_type":4,"regkey":"HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Image","regkey_r":"C:\\Program Files\\Mozilla Firefox\\firefox.exe|Image","value":1579293992},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x0000000000000054","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Launcher","regkey_r":"C:\\Program Files\\Mozilla Firefox\\firefox.exe|Launcher","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.40002},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x0000000000000054","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Browser","regkey_r":"C:\\Program Files\\Mozilla Firefox\\firefox.exe|Browser","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.40002},{"api":"NtOpenProcess","arguments":{"desired_access":"0x00001000","process_handle":"0x0000000000000058","process_identifier":2976},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.41502},{"api":"NtClose","arguments":{"handle":"0x0000000000000058"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.41502},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000001015000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":65536,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.41502},{"api":"NtClose","arguments":{"handle":"0x0000000000000058"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.41502},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.41502},{"api":"NtQuerySystemInformation","arguments":{"information_class":0},"category":"system","flags":{"information_class":"SystemBasicInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.43102},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x000000007790e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":2,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.43102},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.43102},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x0000000000000000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741823,"return_value":-1073741515,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.43102},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x0000000000000000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741823,"return_value":-1073741515,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.43102},{"api":"LdrLoadDll","arguments":{"basename":"IMM32","flags":0,"module_address":"0x000007feff1f0000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x000007feff1f0000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000000","regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Error Message Instrument\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":126,"nt_status":-1073741515,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.44702},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000005c","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000005c","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":126,"nt_status":-1073741515,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.44702},{"api":"NtClose","arguments":{"handle":"0x000000000000005c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x000007feff340000","module_name":"LPK.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff346ab0","function_name":"LpkTabbedTextOut","module":"LPK","module_address":"0x000007feff340000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff345300","function_name":"LpkPSMTextOut","module":"LPK","module_address":"0x000007feff340000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff341460","function_name":"LpkDrawTextEx","module":"LPK","module_address":"0x000007feff340000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff34a050","function_name":"LpkEditControl","module":"LPK","module_address":"0x000007feff340000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtClose","arguments":{"handle":"0x0000000000000070"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtClose","arguments":{"handle":"0x000000000000006c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000006c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000006c","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\Windows\\LoadAppInit_DLLs","value":0},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000006c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrLoadDll","arguments":{"basename":"gdi32","flags":0,"module_address":"0x000007fefdf40000","module_name":"gdi32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefdf458f0","function_name":"GetCharABCWidthsI","module":"GDI32","module_address":"0x000007fefdf40000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000006c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000006c","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":5,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.44702},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000006c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000006c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000006c","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":5,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.44702},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000006c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"GetSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x000007feff660000","module_name":"rpcrt4.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff6ae660","function_name":"I_RpcInitNdrImports","module":"RPCRT4","module_address":"0x000007feff660000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.44702},{"api":"NtOpenDirectoryObject","arguments":{"desired_access":"0x0000000f","directory_handle":"0x0000000000000088","dirpath":"\\Sessions\\1\\BaseNamedObjects","dirpath_r":"\\Sessions\\1\\BaseNamedObjects"},"category":"file","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrLoadDll","arguments":{"basename":"ole32","flags":0,"module_address":"0x000007fefd890000","module_name":"ole32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefd8b0870","function_name":"CoInitializeEx","module":"ole32","module_address":"0x000007fefd890000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"CoInitializeEx","arguments":{"options":2},"category":"ole","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000000000ac","options":0,"regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000000000000ac","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension","value":"ntmarta.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000000000000ac","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension","value":"ntmarta.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000000000b8","options":0,"regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000000000000b8","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity","value":1},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000000000000b8"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000000000b8","options":0,"regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000000000000b8","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.47802},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000000000000b8"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000000000b8","options":0,"regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000000000000b8","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.47802},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000000000000b8"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000000000b8","options":0,"regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000000000000b8","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\IPv4LoopbackAlternative","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.47802},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000000000000b8"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"LdrLoadDll","arguments":{"basename":"ntmarta","flags":0,"module_address":"0x000007fefc6c0000","module_name":"ntmarta.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefc6c1654","function_name":"GetMartaExtensionInterface","module":"ntmarta","module_address":"0x000007fefc6c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000000000000ac"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefd8a74a8","function_name":"CoInitializeSecurity","module":"ole32","module_address":"0x000007fefd890000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"CoInitializeSecurity","arguments":{},"category":"ole","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"NtClose","arguments":{"handle":"0x00000000000000a8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefd8b4650","function_name":"CoCreateInstance","module":"ole32","module_address":"0x000007fefd890000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"CoCreateInstance","arguments":{"class_context":1,"clsid":"{0000034b-0000-0000-c000-000000000046}","iid":"{0000015b-0000-0000-c000-000000000046}"},"category":"ole","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741700,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.49402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT"},"category":"registry","flags":{"desired_access":""},"last_error":203,"nt_status":-1073741568,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.49402},{"api":"LdrLoadDll","arguments":{"basename":"OLEAUT32","flags":0,"module_address":"0x000007feff790000","module_name":"OLEAUT32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff7b2880","function_name":"","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":327},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff793280","function_name":"","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff791240","function_name":"","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":8},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x00000000775e1eb0","function_name":"FlsGetValue","module":"kernel32","module_address":"0x00000000775c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":684,"time":1606943220.54002},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000c03000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":684,"time":1606943220.61902},{"api":"NtDuplicateObject","arguments":{"desired_access":"0x00000000","handle_attributes":0,"options":2,"source_handle":"0xfffffffffffffffe","source_process_handle":"0xffffffffffffffff","source_process_identifier":1952,"target_handle":"0x0000000000000148","target_process_handle":"0xffffffffffffffff","target_process_identifier":1952},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":684,"time":1606943220.61902},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000c04000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":684,"time":1606943220.61902},{"api":"NtDuplicateObject","arguments":{"desired_access":"0x00000000","handle_attributes":0,"options":2,"source_handle":"0xfffffffffffffffe","source_process_handle":"0xffffffffffffffff","source_process_identifier":1952,"target_handle":"0x0000000000000150","target_process_handle":"0xffffffffffffffff","target_process_identifier":1952},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2108,"time":1606943220.61902},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000c06000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2108,"time":1606943220.61902},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000c08000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":32768,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2264,"time":1606943220.61902},{"api":"CoCreateInstance","arguments":{"class_context":5,"clsid":"{9ba05972-f6a8-11cf-a442-00a0c90a8f39}","iid":"{85cb6900-4d95-11cf-960c-0080c7f4ee85}"},"category":"ole","flags":{"clsid":"ShellWindows","iid":"IID_IShellWindows"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrLoadDll","arguments":{"basename":"OLEAUT32","flags":0,"module_address":"0x000007feff790000","module_name":"OLEAUT32","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff7962e0","function_name":"BSTR_UserSize","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff796310","function_name":"BSTR_UserMarshal","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff796690","function_name":"BSTR_UserUnmarshal","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff796650","function_name":"BSTR_UserFree","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff798810","function_name":"VARIANT_UserSize","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff7986c0","function_name":"VARIANT_UserMarshal","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff798300","function_name":"VARIANT_UserUnmarshal","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff798120","function_name":"VARIANT_UserFree","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff7e1a20","function_name":"LPSAFEARRAY_UserSize","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff7e1a10","function_name":"LPSAFEARRAY_UserMarshal","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff7f8b60","function_name":"LPSAFEARRAY_UserUnmarshal","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff8012a0","function_name":"LPSAFEARRAY_UserFree","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000184","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtClose","arguments":{"handle":"0x0000000000000178"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000184","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000178","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000184"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000184","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000184","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}\\ProxyStubClsid32\\(Default)","value":"{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000184"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000178"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000124","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000178","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\TreatAs"},"category":"registry","flags":{"desired_access":""},"last_error":14007,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"<INVALID POINTER>","information_class":3,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"last_error":14007,"nt_status":-1073741772,"return_value":-1073741789,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u009e\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u0000A\u00004\u0000A\u00001\u0000A\u00001\u00002\u00008\u0000-\u00007\u00006\u00008\u0000F\u0000-\u00004\u00001\u0000E\u00000\u0000-\u0000B\u0000F\u00007\u00005\u0000-\u0000E\u00004\u0000F\u0000D\u0000D\u0000D\u00007\u00000\u00001\u0000C\u0000B\u0000A\u0000}\u0000","information_class":3,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\Progid"},"category":"registry","flags":{"desired_access":""},"last_error":14007,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000124","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"D\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000","information_class":3,"key_handle":"0x0000000000000124","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020219","key_handle":"0x0000000000000184","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0006\u0000\u0000","information_class":7,"key_handle":"0x0000000000000184","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\Progid"},"category":"registry","flags":{"desired_access":""},"last_error":14007,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.83702},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000184"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000178","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\(Default)","value":"PSFactoryBuffer"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000178","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\(Default)","value":"PSFactoryBuffer"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000184","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InprocServer32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000184","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\InprocServer32","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.83702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000184","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\(Default)","value":"C:\\Program Files\\Internet Explorer\\ieproxy.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000184","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\(Default)","value":"C:\\Program Files\\Internet Explorer\\ieproxy.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000184","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\ThreadingModel","value":"Both"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000184"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InprocHandler32"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InprocHandler"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.83702},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000178"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000184","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtClose","arguments":{"handle":"0x0000000000000178"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.85302},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000184","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.85302},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000178","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.85302},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000184"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.85302},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.85302},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\TreatAs"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":1008,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.85302},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000178"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.85302},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"LdrLoadDll","arguments":{"basename":"ieproxy","flags":0,"module_address":"0x000007fef3380000","module_name":"C:\\Program Files\\Internet Explorer\\ieproxy.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fef3381530","function_name":"DllGetClassObject","module":"ieproxy","module_address":"0x000007fef3380000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fef3381010","function_name":"DllCanUnloadNow","module":"ieproxy","module_address":"0x000007fef3380000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"GetSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000c2f000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":28672,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000d90000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":64,"region_size":65536,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x0000000000d90000","heap_dep_bypass":1,"length":65536,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":32,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","value":"{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000124","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\TreatAs"},"category":"registry","flags":{"desired_access":""},"last_error":14007,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"<INVALID POINTER>","information_class":3,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"last_error":14007,"nt_status":-1073741772,"return_value":-1073741789,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u009e\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u0000C\u00009\u00000\u00002\u00005\u00000\u0000F\u00003\u0000-\u00004\u0000D\u00007\u0000D\u0000-\u00004\u00009\u00009\u00001\u0000-\u00009\u0000B\u00006\u00009\u0000-\u0000A\u00005\u0000C\u00005\u0000B\u0000C\u00001\u0000C\u00002\u0000A\u0000E\u00006\u0000}\u0000","information_class":3,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\Progid"},"category":"registry","flags":{"desired_access":""},"last_error":14007,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000124","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"D\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000","information_class":3,"key_handle":"0x0000000000000124","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020219","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0006\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\Progid"},"category":"registry","flags":{"desired_access":""},"last_error":14007,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.88402},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000180","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\(Default)","value":"PSFactoryBuffer"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000180","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\(Default)","value":"PSFactoryBuffer"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InprocServer32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\InprocServer32","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\(Default)","value":"C:\\Windows\\system32\\actxprxy.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\(Default)","value":"C:\\Windows\\system32\\actxprxy.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\ThreadingModel","value":"Both"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InprocHandler32"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.90002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InprocHandler"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.90002},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\TreatAs"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":1008,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.90002},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"LdrLoadDll","arguments":{"basename":"actxprxy","flags":0,"module_address":"0x000007fef9920000","module_name":"C:\\Windows\\system32\\actxprxy.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fef9921030","function_name":"DllGetClassObject","module":"actxprxy","module_address":"0x000007fef9920000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fef9921010","function_name":"DllCanUnloadNow","module":"actxprxy","module_address":"0x000007fef9920000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","value":"{00000320-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"CoGetClassObject","arguments":{"class_context":-2147483647,"clsid":"{00000320-0000-0000-c000-000000000046}","iid":"{d5f569d0-593b-101a-b569-08002b2dbf7a}"},"category":"ole","flags":{"iid":"IID_IPSFactoryBuffer"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","value":"{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"CoGetClassObject","arguments":{"class_context":-2147483647,"clsid":"{00000320-0000-0000-c000-000000000046}","iid":"{d5f569d0-593b-101a-b569-08002b2dbf7a}"},"category":"ole","flags":{"iid":"IID_IPSFactoryBuffer"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32\\(Default)","value":"{00020424-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000180","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32\\(Default)","value":"{00020424-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\Forward"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":14007,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"D\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000","information_class":3,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000200","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\Forward"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":14007,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtClose","arguments":{"handle":"0x000000000000016c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\(Default)","value":"{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\Version","value":"1.0"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtClose","arguments":{"handle":"0x000000000000016c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"RegEnumKeyW","arguments":{"index":0,"key_handle":"0x000000000000016c","key_name":"1.0","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"RegEnumKeyW","arguments":{"index":1,"key_handle":"0x000000000000016c","key_name":"1.0","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{},"last_error":14007,"nt_status":-2147483622,"return_value":259,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.94702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"RegEnumKeyW","arguments":{"index":0,"key_handle":"0x0000000000000180","key_name":"0","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000168","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000168","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000170","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000170","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64\\(Default)","value":"C:\\Windows\\system32\\shell32.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":2144,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x0000000000000174","filepath":"C:\\Windows\\System32\\shell32.dll","filepath_r":"\\??\\C:\\Windows\\system32\\shell32.dll","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":"MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f8\u0000\u0000\u0000","file_handle":"0x0000000000000174","length":64,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":248},"category":"file","flags":{},"return_value":248,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":"PE\u0000\u0000","file_handle":"0x0000000000000174","length":4,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":"d\u0086\u0006\u0000j\u0013\u0093Y\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\" ","file_handle":"0x0000000000000174","length":20,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":240},"category":"file","flags":{},"return_value":512,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":".text\u0000\u0000\u0000t\u00ebB\u0000\u0000\u0010\u0000\u0000\u0000\u00ecB\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`","file_handle":"0x0000000000000174","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":".rdata\u0000\u0000\u00cc\u001d\u000b\u0000\u0000\u0000C\u0000\u0000\u001e\u000b\u0000\u0000\u00f0B\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x0000000000000174","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":".data\u0000\u0000\u0000\u0000\u0095\u0000\u0000\u0000 N\u0000\u0000|\u0000\u0000\u0000\u000eN\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0","file_handle":"0x0000000000000174","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":".pdata\u0000\u0000\u009c\u009e\u0004\u0000\u0000\u00c0N\u0000\u0000\u00a0\u0004\u0000\u0000\u008aN\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x0000000000000174","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":".rsrc\u0000\u0000\u0000\u00e0M\u0084\u0000\u0000`S\u0000\u0000N\u0084\u0000\u0000*S\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x0000000000000174","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450240},"category":"file","flags":{},"return_value":5450240,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\t\u0000\u0007\u0000","file_handle":"0x0000000000000174","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":"N\n\u0002\u0080\u0090\u0000\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450264,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5583950},"category":"file","flags":{},"return_value":5583950,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x0000000000000174","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450264},"category":"file","flags":{},"return_value":5450264,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"|\n\u0002\u0080\b\u0001\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450272,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5583996},"category":"file","flags":{},"return_value":5583996,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x0000000000000174","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450272},"category":"file","flags":{},"return_value":5450272,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"l\n\u0002\u0080H\u0001\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450280,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5583980},"category":"file","flags":{},"return_value":5583980,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0007\u0000","file_handle":"0x0000000000000174","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"L\u0000I\u0000B\u0000R\u0000A\u0000R\u0000Y\u0000","file_handle":"0x0000000000000174","length":14,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450280},"category":"file","flags":{},"return_value":5450280,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u00ac\n\u0002\u0080\u0080\u0001\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450288,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5584044},"category":"file","flags":{},"return_value":5584044,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x0000000000000174","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450288},"category":"file","flags":{},"return_value":5450288,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0084\n\u0002\u0080\u0098\u0001\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450296,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5584004},"category":"file","flags":{},"return_value":5584004,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u000b\u0000","file_handle":"0x0000000000000174","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450296},"category":"file","flags":{},"return_value":5450296,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u009c\n\u0002\u0080\u00b8\u0001\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450304,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5584028},"category":"file","flags":{},"return_value":5584028,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0007\u0000","file_handle":"0x0000000000000174","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"T\u0000Y\u0000P\u0000E\u0000L\u0000I\u0000B\u0000","file_handle":"0x0000000000000174","length":14,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450304},"category":"file","flags":{},"return_value":5450304,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450680},"category":"file","flags":{},"return_value":5450680,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x0000000000000174","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450696,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0001\u0000\u0000\u0000\u00d8Z\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5473496},"category":"file","flags":{},"return_value":5473496,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x0000000000000174","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtReadFile","arguments":{"buffer":"\t\u0004\u0000\u0000@^\u0001\u0000","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5539904},"category":"file","flags":{},"return_value":5539904,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtReadFile","arguments":{"buffer":" 2\u00d7\u0000Hz\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","file_handle":"0x0000000000000174","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"GetFileSize","arguments":{"file_handle":"0x0000000000000174","file_size_low":14182400},"category":"file","flags":{},"return_value":14182400,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtCreateSection","arguments":{"desired_access":"0x000f0005","file_handle":"0x0000000000000174","object_handle":"0x0000000000000000","protection":2,"section_handle":"0x0000000000000188","section_name":""},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x0000000000da0000","buffer":"","commit_size":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"section_handle":"0x0000000000000188","section_offset":14024704,"view_size":98304,"win32_protect":2},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000170"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000168"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtClose","arguments":{"handle":"0x000000000000016c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000168","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000168","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000170","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000170","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000018c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000018c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000170"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000168","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000170","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000170","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x000000000000018c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000018c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)","value":"C:\\Windows\\system32\\stdole2.tlb"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtClose","arguments":{"handle":"0x000000000000018c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":2144,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x000000000000018c","filepath":"C:\\Windows\\System32\\stdole2.tlb","filepath_r":"\\??\\C:\\Windows\\system32\\stdole2.tlb","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b8\u0000\u0000\u0000","file_handle":"0x000000000000018c","length":64,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":184},"category":"file","flags":{},"return_value":184,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"PE\u0000\u0000","file_handle":"0x000000000000018c","length":4,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"d\u0086\u0001\u0000S\u00ca[J\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\" ","file_handle":"0x000000000000018c","length":20,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":240},"category":"file","flags":{},"return_value":448,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":".rsrc\u0000\u0000\u0000\u00a0?\u0000\u0000\u0000\u0010\u0000\u0000\u0000@\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x000000000000018c","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":512},"category":"file","flags":{},"return_value":512,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\u0000","file_handle":"0x000000000000018c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"\u00f8\u0000\u0000\u0080(\u0000\u0000\u0080","file_handle":"0x000000000000018c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":536,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":760},"category":"file","flags":{},"return_value":760,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x000000000000018c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":536},"category":"file","flags":{},"return_value":536,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"\u00e8\u0000\u0000\u0080@\u0000\u0000\u0080","file_handle":"0x000000000000018c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":544,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":744},"category":"file","flags":{},"return_value":744,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"\u0007\u0000","file_handle":"0x000000000000018c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtReadFile","arguments":{"buffer":"T\u0000Y\u0000P\u0000E\u0000L\u0000I\u0000B\u0000","file_handle":"0x000000000000018c","length":14,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":544},"category":"file","flags":{},"return_value":544,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":488},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":576},"category":"file","flags":{},"return_value":576,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x000000000000018c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":592,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtReadFile","arguments":{"buffer":"\u0001\u0000\u0000\u0000\u0088\u0000\u0000\u0080","file_handle":"0x000000000000018c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":488},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":648},"category":"file","flags":{},"return_value":648,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x000000000000018c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtReadFile","arguments":{"buffer":"\t\u0004\u0000\u0000\u00c8\u0000\u0000\u0000","file_handle":"0x000000000000018c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":488},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0011\u0000\u0000@:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","file_handle":"0x000000000000018c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"GetFileSize","arguments":{"file_handle":"0x000000000000018c","file_size_low":16896},"category":"file","flags":{},"return_value":16896,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtCreateSection","arguments":{"desired_access":"0x000f0005","file_handle":"0x000000000000018c","object_handle":"0x0000000000000000","protection":2,"section_handle":"0x0000000000000190","section_name":""},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x0000000000dc0000","buffer":"","commit_size":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"section_handle":"0x0000000000000190","section_offset":0,"view_size":16384,"win32_protect":2},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000170"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000168"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"CoGetClassObject","arguments":{"class_context":-2147483647,"clsid":"{00020420-0000-0000-c000-000000000046}","iid":"{d5f569d0-593b-101a-b569-08002b2dbf7a}"},"category":"ole","flags":{"clsid":"PSDispatch","iid":"IID_IPSFactoryBuffer"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtClose","arguments":{"handle":"0x000000000000018c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x0000000000dc0000","process_handle":"0xffffffffffffffff","process_identifier":1952,"region_size":16384},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtClose","arguments":{"handle":"0x0000000000000190"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtClose","arguments":{"handle":"0x0000000000000174"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x0000000000da0000","process_handle":"0xffffffffffffffff","process_identifier":1952,"region_size":98304},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtClose","arguments":{"handle":"0x0000000000000188"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtClose","arguments":{"handle":"0x0000000000000188"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000188","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000174","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32\\(Default)","value":"{00020424-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtClose","arguments":{"handle":"0x0000000000000188"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000188","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32\\(Default)","value":"{00020424-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtClose","arguments":{"handle":"0x0000000000000188"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\Forward"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":14007,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"D\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000","information_class":3,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000200","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\Forward"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":14007,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtClose","arguments":{"handle":"0x0000000000000174"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000188","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000174","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\(Default)","value":"{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000174","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\Version","value":"1.0"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtClose","arguments":{"handle":"0x0000000000000174"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000188","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"RegEnumKeyW","arguments":{"index":0,"key_handle":"0x0000000000000174","key_name":"1.0","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"RegEnumKeyW","arguments":{"index":1,"key_handle":"0x0000000000000174","key_name":"1.0","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{},"last_error":14007,"nt_status":-2147483622,"return_value":259,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.04002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"RegEnumKeyW","arguments":{"index":0,"key_handle":"0x0000000000000188","key_name":"0","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000188","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000190","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000190","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000018c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000018c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64\\(Default)","value":"C:\\Windows\\system32\\shell32.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":2144,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x000000000000016c","filepath":"C:\\Windows\\System32\\shell32.dll","filepath_r":"\\??\\C:\\Windows\\system32\\shell32.dll","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":"MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f8\u0000\u0000\u0000","file_handle":"0x000000000000016c","length":64,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":248},"category":"file","flags":{},"return_value":248,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":"PE\u0000\u0000","file_handle":"0x000000000000016c","length":4,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":"d\u0086\u0006\u0000j\u0013\u0093Y\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\" ","file_handle":"0x000000000000016c","length":20,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":240},"category":"file","flags":{},"return_value":512,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":".text\u0000\u0000\u0000t\u00ebB\u0000\u0000\u0010\u0000\u0000\u0000\u00ecB\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`","file_handle":"0x000000000000016c","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":".rdata\u0000\u0000\u00cc\u001d\u000b\u0000\u0000\u0000C\u0000\u0000\u001e\u000b\u0000\u0000\u00f0B\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x000000000000016c","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":".data\u0000\u0000\u0000\u0000\u0095\u0000\u0000\u0000 N\u0000\u0000|\u0000\u0000\u0000\u000eN\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0","file_handle":"0x000000000000016c","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":".pdata\u0000\u0000\u009c\u009e\u0004\u0000\u0000\u00c0N\u0000\u0000\u00a0\u0004\u0000\u0000\u008aN\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x000000000000016c","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":".rsrc\u0000\u0000\u0000\u00e0M\u0084\u0000\u0000`S\u0000\u0000N\u0084\u0000\u0000*S\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x000000000000016c","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450240},"category":"file","flags":{},"return_value":5450240,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\t\u0000\u0007\u0000","file_handle":"0x000000000000016c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":"N\n\u0002\u0080\u0090\u0000\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450264,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5583950},"category":"file","flags":{},"return_value":5583950,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x000000000000016c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450264},"category":"file","flags":{},"return_value":5450264,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"|\n\u0002\u0080\b\u0001\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450272,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5583996},"category":"file","flags":{},"return_value":5583996,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x000000000000016c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450272},"category":"file","flags":{},"return_value":5450272,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"l\n\u0002\u0080H\u0001\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450280,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5583980},"category":"file","flags":{},"return_value":5583980,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0007\u0000","file_handle":"0x000000000000016c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"L\u0000I\u0000B\u0000R\u0000A\u0000R\u0000Y\u0000","file_handle":"0x000000000000016c","length":14,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450280},"category":"file","flags":{},"return_value":5450280,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u00ac\n\u0002\u0080\u0080\u0001\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450288,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5584044},"category":"file","flags":{},"return_value":5584044,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x000000000000016c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450288},"category":"file","flags":{},"return_value":5450288,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0084\n\u0002\u0080\u0098\u0001\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450296,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5584004},"category":"file","flags":{},"return_value":5584004,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u000b\u0000","file_handle":"0x000000000000016c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450296},"category":"file","flags":{},"return_value":5450296,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u009c\n\u0002\u0080\u00b8\u0001\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450304,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5584028},"category":"file","flags":{},"return_value":5584028,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0007\u0000","file_handle":"0x000000000000016c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"T\u0000Y\u0000P\u0000E\u0000L\u0000I\u0000B\u0000","file_handle":"0x000000000000016c","length":14,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450304},"category":"file","flags":{},"return_value":5450304,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450680},"category":"file","flags":{},"return_value":5450680,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x000000000000016c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450696,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0001\u0000\u0000\u0000\u00d8Z\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5473496},"category":"file","flags":{},"return_value":5473496,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x000000000000016c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\t\u0004\u0000\u0000@^\u0001\u0000","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5539904},"category":"file","flags":{},"return_value":5539904,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":" 2\u00d7\u0000Hz\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","file_handle":"0x000000000000016c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"GetFileSize","arguments":{"file_handle":"0x000000000000016c","file_size_low":14182400},"category":"file","flags":{},"return_value":14182400,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtCreateSection","arguments":{"desired_access":"0x000f0005","file_handle":"0x000000000000016c","object_handle":"0x0000000000000000","protection":2,"section_handle":"0x0000000000000180","section_name":""},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x0000000000da0000","buffer":"","commit_size":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"section_handle":"0x0000000000000180","section_offset":14024704,"view_size":98304,"win32_protect":2},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000018c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000190"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtClose","arguments":{"handle":"0x0000000000000174"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000188","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000188","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000190","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000190","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000018c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000018c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000168","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000168"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000018c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000190","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000018c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000018c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000168","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000168","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)","value":"C:\\Windows\\system32\\stdole2.tlb"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtClose","arguments":{"handle":"0x0000000000000168"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":2144,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x0000000000000168","filepath":"C:\\Windows\\System32\\stdole2.tlb","filepath_r":"\\??\\C:\\Windows\\system32\\stdole2.tlb","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b8\u0000\u0000\u0000","file_handle":"0x0000000000000168","length":64,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":184},"category":"file","flags":{},"return_value":184,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"PE\u0000\u0000","file_handle":"0x0000000000000168","length":4,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"d\u0086\u0001\u0000S\u00ca[J\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\" ","file_handle":"0x0000000000000168","length":20,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":240},"category":"file","flags":{},"return_value":448,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":".rsrc\u0000\u0000\u0000\u00a0?\u0000\u0000\u0000\u0010\u0000\u0000\u0000@\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x0000000000000168","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":512},"category":"file","flags":{},"return_value":512,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\u0000","file_handle":"0x0000000000000168","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"\u00f8\u0000\u0000\u0080(\u0000\u0000\u0080","file_handle":"0x0000000000000168","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":536,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":760},"category":"file","flags":{},"return_value":760,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x0000000000000168","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":536},"category":"file","flags":{},"return_value":536,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"\u00e8\u0000\u0000\u0080@\u0000\u0000\u0080","file_handle":"0x0000000000000168","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":544,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":744},"category":"file","flags":{},"return_value":744,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"\u0007\u0000","file_handle":"0x0000000000000168","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"T\u0000Y\u0000P\u0000E\u0000L\u0000I\u0000B\u0000","file_handle":"0x0000000000000168","length":14,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":544},"category":"file","flags":{},"return_value":544,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":488},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":576},"category":"file","flags":{},"return_value":576,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x0000000000000168","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":592,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtReadFile","arguments":{"buffer":"\u0001\u0000\u0000\u0000\u0088\u0000\u0000\u0080","file_handle":"0x0000000000000168","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":488},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":648},"category":"file","flags":{},"return_value":648,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x0000000000000168","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtReadFile","arguments":{"buffer":"\t\u0004\u0000\u0000\u00c8\u0000\u0000\u0000","file_handle":"0x0000000000000168","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":488},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0011\u0000\u0000@:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","file_handle":"0x0000000000000168","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"GetFileSize","arguments":{"file_handle":"0x0000000000000168","file_size_low":16896},"category":"file","flags":{},"return_value":16896,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtCreateSection","arguments":{"desired_access":"0x000f0005","file_handle":"0x0000000000000168","object_handle":"0x0000000000000000","protection":2,"section_handle":"0x0000000000000170","section_name":""},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x0000000000dc0000","buffer":"","commit_size":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"section_handle":"0x0000000000000170","section_offset":0,"view_size":16384,"win32_protect":2},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000018c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000190"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"CoGetClassObject","arguments":{"class_context":-2147483647,"clsid":"{00020420-0000-0000-c000-000000000046}","iid":"{d5f569d0-593b-101a-b569-08002b2dbf7a}"},"category":"ole","flags":{"clsid":"PSDispatch","iid":"IID_IPSFactoryBuffer"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtClose","arguments":{"handle":"0x0000000000000168"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x0000000000dc0000","process_handle":"0xffffffffffffffff","process_identifier":1952,"region_size":16384},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtClose","arguments":{"handle":"0x0000000000000170"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtClose","arguments":{"handle":"0x000000000000016c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x0000000000da0000","process_handle":"0xffffffffffffffff","process_identifier":1952,"region_size":98304},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefd9607f0","function_name":"CoAllowSetForegroundWindow","module":"ole32","module_address":"0x000007fefd890000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff791180","function_name":"","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":9},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.11902},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff791180","function_name":"","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":9},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.11902},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff791210","function_name":"","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":6},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.11902},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefd8af1d8","function_name":"CoUninitialize","module":"ole32","module_address":"0x000007fefd890000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.11902},{"api":"CoUninitialize","arguments":{},"category":"ole","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000054"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"LdrLoadDll","arguments":{"basename":"api-ms-win-appmodel-runtime-l1-1-2","flags":0,"module_address":"0x0000000000000000","module_name":"api-ms-win-appmodel-runtime-l1-1-2","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1072365560,"return_value":-1073741515,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.15002},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x0000000000000000","module_name":"mscoree.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":-1073741515,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.15002},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x0000000000000000","module_name":"mscoree.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":-1073741515,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.15002},{"api":"NtTerminateProcess","arguments":{"process_handle":"0x0000000000000000","process_identifier":0,"status_code":"0x00000000"},"category":"process","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":0,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.15002},{"api":"NtTerminateProcess","arguments":{"process_handle":"0x0000000000000000","process_identifier":0,"status_code":"0x00000000"},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000120"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x0000000000a60000","process_handle":"0xffffffffffffffff","process_identifier":1952,"region_size":28672},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000134"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000130"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0000000000a70000","free_type":16384,"process_handle":"0xffffffffffffffff","process_identifier":1952,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0000000000a70000","free_type":32768,"process_handle":"0xffffffffffffffff","process_identifier":1952,"size":65536},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x0000000000a50000","process_handle":"0xffffffffffffffff","process_identifier":1952,"region_size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000128"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000b8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000bc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000c0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000c4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000c8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000cc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000d0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000d4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000b0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x000000000000009c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000098"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000058"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x000000000000006c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefccc4a74","function_name":"CryptReleaseContext","module":"CRYPTSP","module_address":"0x000007fefccc0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"LdrUnloadDll","arguments":{"library":"IMM32","module_address":"0x000007feff1f0000"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000006c","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000006c","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741515,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x000000000000006c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x000000000000001c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000020"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"LdrUnloadDll","arguments":{"library":"ntmarta","module_address":"0x000007fefc6c0000"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000e4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtTerminateProcess","arguments":{"process_handle":"0xffffffffffffffff","process_identifier":1952,"status_code":"0x00000000"},"category":"process","flags":{},"last_error":203,"nt_status":-1073741568,"return_value":0,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.15002}],"command_line":"\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"","first_seen":1606943649.755751,"modules":[{"baseaddr":"0x13ff30000","basename":"firefox.exe","filepath":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","imgsize":593920},{"baseaddr":"0x777e0000","basename":"ntdll.dll","filepath":"C:\\Windows\\SYSTEM32\\ntdll.dll","imgsize":1744896},{"baseaddr":"0x775c0000","basename":"kernel32.dll","filepath":"C:\\Windows\\system32\\kernel32.dll","imgsize":1175552},{"baseaddr":"0x7fefd5b0000","basename":"KERNELBASE.dll","filepath":"C:\\Windows\\system32\\KERNELBASE.dll","imgsize":434176},{"baseaddr":"0x7fef0b10000","basename":"mozglue.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\mozglue.dll","imgsize":507904},{"baseaddr":"0x7feff3f0000","basename":"ADVAPI32.dll","filepath":"C:\\Windows\\system32\\ADVAPI32.dll","imgsize":897024},{"baseaddr":"0x7fefe0f0000","basename":"msvcrt.dll","filepath":"C:\\Windows\\system32\\msvcrt.dll","imgsize":651264},{"baseaddr":"0x7feff350000","basename":"sechost.dll","filepath":"C:\\Windows\\SYSTEM32\\sechost.dll","imgsize":126976},{"baseaddr":"0x7feff660000","basename":"RPCRT4.dll","filepath":"C:\\Windows\\system32\\RPCRT4.dll","imgsize":1232896},{"baseaddr":"0x7fefd660000","basename":"CRYPT32.dll","filepath":"C:\\Windows\\system32\\CRYPT32.dll","imgsize":1495040},{"baseaddr":"0x7fefd4e0000","basename":"MSASN1.dll","filepath":"C:\\Windows\\system32\\MSASN1.dll","imgsize":61440},{"baseaddr":"0x7fefc730000","basename":"VERSION.dll","filepath":"C:\\Windows\\system32\\VERSION.dll","imgsize":49152},{"baseaddr":"0x7fefd850000","basename":"WINTRUST.dll","filepath":"C:\\Windows\\system32\\WINTRUST.dll","imgsize":241664},{"baseaddr":"0x7fef88b0000","basename":"dbghelp.dll","filepath":"C:\\Windows\\system32\\dbghelp.dll","imgsize":1200128},{"baseaddr":"0x7fef0a70000","basename":"MSVCP140.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\MSVCP140.dll","imgsize":634880},{"baseaddr":"0x7fef4fd0000","basename":"VCRUNTIME140.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\VCRUNTIME140.dll","imgsize":90112},{"baseaddr":"0x7fef7210000","basename":"api-ms-win-crt-runtime-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-runtime-l1-1-0.dll","imgsize":16384},{"baseaddr":"0x7fef0970000","basename":"ucrtbase.DLL","filepath":"C:\\Program Files\\Mozilla Firefox\\ucrtbase.DLL","imgsize":1024000},{"baseaddr":"0x7fefac50000","basename":"api-ms-win-core-localization-l1-2-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-localization-l1-2-0.dll","imgsize":12288},{"baseaddr":"0x7fef6240000","basename":"api-ms-win-core-processthreads-l1-1-1.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-processthreads-l1-1-1.dll","imgsize":12288},{"baseaddr":"0x7fef7140000","basename":"api-ms-win-core-file-l1-2-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-file-l1-2-0.dll","imgsize":12288},{"baseaddr":"0x7fef5400000","basename":"api-ms-win-core-timezone-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-timezone-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef53f0000","basename":"api-ms-win-core-file-l2-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-file-l2-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef4e70000","basename":"api-ms-win-core-synch-l1-2-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-synch-l1-2-0.dll","imgsize":12288},{"baseaddr":"0x7fef4e80000","basename":"api-ms-win-crt-string-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-string-l1-1-0.dll","imgsize":16384},{"baseaddr":"0x7fef4e50000","basename":"api-ms-win-crt-heap-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-heap-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef4e60000","basename":"api-ms-win-crt-stdio-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-stdio-l1-1-0.dll","imgsize":16384},{"baseaddr":"0x7fef4df0000","basename":"api-ms-win-crt-convert-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-convert-l1-1-0.dll","imgsize":16384},{"baseaddr":"0x7fef4e00000","basename":"api-ms-win-crt-locale-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-locale-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef3ab0000","basename":"api-ms-win-crt-math-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-math-l1-1-0.dll","imgsize":20480},{"baseaddr":"0x7fef4de0000","basename":"api-ms-win-crt-time-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-time-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef3a90000","basename":"api-ms-win-crt-filesystem-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-filesystem-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef3aa0000","basename":"api-ms-win-crt-environment-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-environment-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef3a70000","basename":"api-ms-win-crt-utility-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-utility-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x74540000","basename":"monitor-x64.dll","filepath":"C:\\tmpcaygsr\\bin\\monitor-x64.dll","imgsize":2269184}],"pid":1952,"ppid":2976,"process_name":"firefox.exe","process_path":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","tid":2524,"time":0,"track":true,"type":"process"}],"processtree":[{"children":[],"command_line":"C:\\Windows\\system32\\lsass.exe","first_seen":1606943609.640625,"pid":500,"ppid":384,"process_name":"lsass.exe","track":false},{"children":[{"children":[],"command_line":"\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"","first_seen":1606943649.755751,"pid":1952,"ppid":2976,"process_name":"firefox.exe","track":true}],"command_line":"\"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe\" ","first_seen":1606943648.427626,"pid":2976,"ppid":3028,"process_name":"Win32.DarkTequila.exe","track":true}],"summary":{"command_line":["\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"","http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974"],"directory_enumerated":["C:\\Windows\\SysWOW64\\ieframe.dll","C:\\Windows\\SysWOW64","C:\\Windows","C:\\Windows\\SysWOW64\\*.*"],"dll_loaded":["urlmon.dll","api-ms-win-appmodel-runtime-l1-1-2","apphelp.dll","gdi32.dll","msvcrt.dll","C:\\Program Files\\Internet Explorer\\ieproxy.dll","Ole32.dll","ntmarta.dll","api-ms-win-downlevel-advapi32-l1-1-0.dll","PROPSYS.dll","API-MS-Win-Core-LocalRegistry-L1-1-0.dll","KERNEL32.DLL","api-ms-win-downlevel-ole32-l1-1-0.dll","advapi32.dll","ole32.dll","CRYPTSP.dll","C:\\Windows\\system32\\IMM32.DLL","wpcap.dll","C:\\Windows\\system32\\actxprxy.dll","OLEAUT32","OLEAUT32.dll","Shell32.dll","comctl32.dll","api-ms-win-downlevel-shlwapi-l2-1-0.dll","ADVAPI32.dll","SETUPAPI.dll"],"file_created":["c:\\Windows\\csrss.dll"],"file_exists":["C:\\Windows\\SysWOW64\\ieframe.dll"],"file_opened":["C:\\Program Files\\Mozilla Firefox\\firefox.exe","C:\\Windows\\System32\\stdole2.tlb","C:\\Windows\\SysWOW64\\ieframe.dll","C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe","C:\\Windows\\SysWOW64\\","\\??\\c:","\\??\\PhysicalDrive0","C:\\Windows\\System32\\shell32.dll","C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui","C:\\Windows\\AppPatch\\sysmain.sdb"],"file_read":["C:\\Windows\\System32\\stdole2.tlb","C:\\Windows\\System32\\shell32.dll","C:\\Windows\\SysWOW64\\ieframe.dll"],"file_recreated":["\\??\\C:"],"file_written":["c:\\Windows\\csrss.dll"],"guid":["{00000320-0000-0000-c000-000000000046}","{0000015b-0000-0000-c000-000000000046}","{00020420-0000-0000-c000-000000000046}","{76765b11-3f95-4af2-ac9d-ea55d8994f1a}","{9ba05972-f6a8-11cf-a442-00a0c90a8f39}","{85cb6900-4d95-11cf-960c-0080c7f4ee85}","{00000000-0000-0000-c000-000000000046}","{d5f569d0-593b-101a-b569-08002b2dbf7a}","{0000034b-0000-0000-c000-000000000046}","{871c5380-42a0-1069-a2ea-08002b30309d}","{000214e6-0000-0000-c000-000000000046}"],"mutex":["Global\\F42B8ED47C41A7A135BDA00457587C507BC99875"],"regkey_opened":["HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562","HKEY_LOCAL_MACHINE\\SYSTEM\\Select","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\Tcpip\\Parameters","HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters","HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","HKEY_CURRENT_USER\\SOFTWARE\\Mozilla\\Firefox\\Launcher","HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562","HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main","HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_CLASSES_ROOT\\CLSID\\{D27CDB6E-AE6D-11cf-96B8-444553540000}","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"],"regkey_read":["HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\Progid","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\ThreadingModel","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\ThreadingModel","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Data","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\Version","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\Windows\\LoadAppInit_DLLs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameTabWindow","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\(Default)","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\IPv4LoopbackAlternative","HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\InprocServer32","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\Version","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPEnable","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\Tcpip\\Parameters\\EnableBpc","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Generation","HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\LastKnownGood","HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\SessionMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\AdminTabProcs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\SessionMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableBpc","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Data","HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Launcher","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler","HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameMerging","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\InprocServer32","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CMF\\Config\\SYSTEM","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Browser","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Generation","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Cryptography\\MachineGuid","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Generation","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPSampledIn","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes","HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes","HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Image","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\(Default)","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Setup\\SourcePath","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Data","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache"],"regkey_written":["HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\WOW64","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Type","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Start","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ObjectName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\Wcsrss","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\DisplayName","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ImagePath","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Description","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ErrorControl","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\WOW64"]}},"debug":{"action":["gatherer"],"cuckoo":["2020-12-02 21:13:58,542 [cuckoo.core.scheduler] INFO: Task #10: acquired machine cuckoo1 (label=win7cuckoo)\n","2020-12-02 21:13:58,542 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.56.101 for task #10\n","2020-12-02 21:13:58,542 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Replay\n","2020-12-02 21:13:58,548 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 11572 (interface=vboxnet0, host=192.168.56.101)\n","2020-12-02 21:13:58,549 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer\n","2020-12-02 21:13:58,573 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7cuckoo\n","2020-12-02 21:13:58,689 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7cuckoo to cuckoo-ready5\n","2020-12-02 21:14:02,934 [cuckoo.core.guest] INFO: Starting analysis #10 on guest (id=cuckoo1, ip=192.168.56.101)\n","2020-12-02 21:14:03,937 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n","2020-12-02 21:14:04,943 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n","2020-12-02 21:14:05,946 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n","2020-12-02 21:14:06,003 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n","2020-12-02 21:14:07,032 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=cuckoo1, ip=192.168.56.101)\n","2020-12-02 21:14:07,062 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.101, monitor=latest, size=3884763)\n","2020-12-02 21:14:07,326 [cuckoo.core.resultserver] DEBUG: Task #10: live log analysis.log initialized.\n","2020-12-02 21:14:07,976 [cuckoo.core.resultserver] DEBUG: Task #10 is sending a BSON stream\n","2020-12-02 21:14:08,178 [cuckoo.core.resultserver] DEBUG: Task #10 is sending a BSON stream\n","2020-12-02 21:14:09,253 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0001.jpg'\n","2020-12-02 21:14:09,259 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 127170\n","2020-12-02 21:14:09,762 [cuckoo.core.resultserver] DEBUG: Task #10 is sending a BSON stream\n","2020-12-02 21:14:10,337 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0002.jpg'\n","2020-12-02 21:14:10,344 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 124839\n","2020-12-02 21:14:11,442 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0003.jpg'\n","2020-12-02 21:14:11,445 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 126799\n","2020-12-02 21:14:12,256 [cuckoo.core.guest] DEBUG: cuckoo1: analysis #10 still processing\n","2020-12-02 21:14:13,604 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0004.jpg'\n","2020-12-02 21:14:13,615 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 124612\n","2020-12-02 21:14:14,273 [cuckoo.core.guest] INFO: cuckoo1: analysis completed successfully\n","2020-12-02 21:14:14,280 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Replay\n","2020-12-02 21:14:14,319 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer\n","2020-12-02 21:14:16,525 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7cuckoo to path /home/jean/.cuckoo/storage/analyses/10/memory.dmp\n","2020-12-02 21:14:16,529 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7cuckoo\n","2020-12-02 21:14:16,630 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0005.jpg'\n","2020-12-02 21:14:16,702 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 126296\n","2020-12-02 21:14:16,906 [cuckoo.core.resultserver] DEBUG: Task #10 had connection reset for <Context for LOG>\n","2020-12-02 21:14:20,398 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.56.101 for task #10\n","2020-12-02 21:14:20,822 [cuckoo.core.scheduler] DEBUG: Released database task #10\n","2020-12-02 21:14:21,251 [cuckoo.core.plugins] DEBUG: Executed processing module \"AnalysisInfo\" for task #10\n","2020-12-02 21:14:21,663 [cuckoo.core.plugins] DEBUG: Executed processing module \"BehaviorAnalysis\" for task #10\n","2020-12-02 21:14:21,665 [cuckoo.core.plugins] DEBUG: Executed processing module \"Dropped\" for task #10\n","2020-12-02 21:14:21,666 [cuckoo.core.plugins] DEBUG: Executed processing module \"DroppedB"],"dbgview":[],"errors":[],"log":["2020-12-02 21:13:29,000 [analyzer] DEBUG: Starting analyzer from: C:\\tmpcaygsr\n","2020-12-02 21:13:29,015 [analyzer] DEBUG: Pipe server name: \\??\\PIPE\\xjdrXqVKEocylZtiKIZVzSdkMxH\n","2020-12-02 21:13:29,015 [analyzer] DEBUG: Log pipe server name: \\??\\PIPE\\LpDHTZmFiObyxUcCZLljz\n","2020-12-02 21:13:29,171 [analyzer] DEBUG: Started auxiliary module DbgView\n","2020-12-02 21:13:29,530 [analyzer] DEBUG: Started auxiliary module Disguise\n","2020-12-02 21:13:29,703 [analyzer] DEBUG: Loaded monitor into process with pid 500\n","2020-12-02 21:13:29,703 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets\n","2020-12-02 21:13:29,703 [analyzer] DEBUG: Started auxiliary module Human\n","2020-12-02 21:13:29,703 [analyzer] DEBUG: Started auxiliary module InstallCertificate\n","2020-12-02 21:13:29,703 [analyzer] DEBUG: Started auxiliary module Reboot\n","2020-12-02 21:13:29,717 [analyzer] DEBUG: Started auxiliary module RecentFiles\n","2020-12-02 21:13:29,717 [analyzer] DEBUG: Started auxiliary module Screenshots\n","2020-12-02 21:13:29,717 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n\n","2020-12-02 21:13:29,780 [lib.api.process] INFO: Successfully executed process from path u'C:\\\\Users\\\\mes-vms\\\\AppData\\\\Local\\\\Temp\\\\Win32.DarkTequila.exe' with arguments '' and pid 2976\n","2020-12-02 21:14:08,505 [analyzer] DEBUG: Loaded monitor into process with pid 2976\n","2020-12-02 21:14:09,677 [analyzer] INFO: Injected into process with pid 1952 and name u'\\uc7d0\\u022c'\n","2020-12-02 21:14:09,880 [analyzer] DEBUG: Loaded monitor into process with pid 1952\n","2020-12-02 21:14:10,645 [lib.api.process] WARNING: The process with pid 1952 is not alive, memory dump aborted\n","2020-12-02 21:14:11,240 [analyzer] INFO: Process with pid 1952 has terminated\n","2020-12-02 21:14:12,645 [analyzer] INFO: Added new file to list with pid 2976 and path C:\\Windows\\csrss.dll\n","2020-12-02 21:14:12,661 [lib.api.process] WARNING: The process with pid 2976 is not alive, memory dump aborted\n","2020-12-02 21:14:13,240 [analyzer] INFO: Process with pid 2976 has terminated\n","2020-12-02 21:14:13,240 [analyzer] INFO: Process list is empty, terminating analysis.\n","2020-12-02 21:14:14,240 [analyzer] INFO: Error dumping file from path \"c:\\windows\\csrss.dll\": [Errno 13] Permission denied\n","2020-12-02 21:14:14,240 [analyzer] INFO: Analysis completed.\n"]},"info":{"added":1606943609.47906,"category":"file","custom":null,"duration":22,"ended":1606943660.876434,"git":{"fetch_head":"13cbe0d9e457be3673304533043e992ead1ea9b2","head":"13cbe0d9e457be3673304533043e992ead1ea9b2"},"id":10,"machine":{"label":"win7cuckoo","manager":"VirtualBox","name":"cuckoo1","shutdown_on":"2020-12-02 21:14:20","started_on":"2020-12-02 21:13:58","status":"stopped"},"monitor":"2deb9ccd75d5a7a3fe05b2625b03a8639d6ee36b","options":"procmemdump=yes,route=none","owner":null,"package":"exe","platform":"windows","route":"none","score":6.4,"started":1606943638.493838,"version":"2.0.7"},"metadata":{"output":{"pcap":{"basename":"dump.pcap","dirname":"","sha256":"704e5e5b3234433c01fcfd1b20a306e77e985038120492dc53965c3edd38a4ea"}}},"network":{"dead_hosts":[],"dns":[],"dns_servers":[],"domains":[],"hosts":[],"http":[],"http_ex":[],"https_ex":[],"icmp":[],"irc":[],"mitm":[],"pcap_sha256":"704e5e5b3234433c01fcfd1b20a306e77e985038120492dc53965c3edd38a4ea","smtp":[],"smtp_ex":[],"tcp":[],"tls":[],"udp":[]},"screenshots":[{"ocr":"","path":"/home/jean/.cuckoo/storage/analyses/10/shots/0001.jpg"},{"ocr":"","path":"/home/jean/.cuckoo/storage/analyses/10/shots/0002.jpg"},{"ocr":"","path":"/home/jean/.cuckoo/storage/analyses/10/shots/0003.jpg"},{"ocr":"","path":"/home/jean/.cuckoo/storage/analyses/10/shots/0004.jpg"},{"ocr":"","path":"/home/jean/.cuckoo/storage/analyses/10/shots/0005.jpg"}],"signatures":[{"description":"Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)","families":[],"markcount":1,"marks":[{"category":"registry","description":null,"ioc":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Cryptography\\MachineGuid","type":"ioc"}],"name":"recon_fingerprint","references":[],"severity":1,"ttp":{}},{"description":"Tries to locate where the browsers are installed","families":[],"markcount":1,"marks":[{"category":"file","description":null,"ioc":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","type":"ioc"}],"name":"locates_browser","references":[],"severity":1,"ttp":{}},{"description":"Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available","families":[],"markcount":1,"marks":[{"call":{"api":"GlobalMemoryStatusEx","arguments":{},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},"cid":1059,"pid":2976,"type":"call"}],"name":"antivm_memory_available","references":[],"severity":1,"ttp":{"T1082":{"long":"An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.","short":"System Information Discovery"}}},{"description":"The executable uses a known packer","families":[],"markcount":1,"marks":[{"category":"packer","description":null,"ioc":"UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser","type":"ioc"}],"name":"peid_packer","references":[],"severity":1,"ttp":{"T1045":{"long":"Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.","short":"Software Packing"}}},{"description":"One or more processes crashed","families":[],"markcount":5,"marks":[{"call":{"api":"__exception__","arguments":{"exception":{"address":"0x3c100d","exception_code":"0xc0000094","instruction":"div eax","instruction_r":"f7 f0 e8 9c 05 00 00 85 c0 74 06 b8 0a 00 00 00","module":"Win32.DarkTequila.exe","offset":4109,"symbol":"win32+0x100d"},"registers":{"eax":0,"ebp":2752212,"ebx":0,"ecx":3503292416,"edi":1971160937,"edx":2130566132,"esi":7155388,"esp":2751908},"stacktrace":"win32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"},"category":"__notification__","flags":{},"raw":["stacktrace"],"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},"cid":208,"pid":2976,"type":"call"},{"call":{"api":"__exception__","arguments":{"exception":{"address":"0x3c1602","exception_code":"0xc0000096","instruction":"in eax, dx","instruction_r":"ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45","module":"Win32.DarkTequila.exe","offset":5634,"symbol":"win32+0x1602"},"registers":{"eax":1447909480,"ebp":2751900,"ebx":0,"ecx":10,"edi":1971160937,"edx":22104,"esi":7155388,"esp":2751844},"stacktrace":"win32+0x1014 @ 0x3c1014\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"},"category":"__notification__","flags":{},"raw":["stacktrace"],"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},"cid":210,"pid":2976,"type":"call"},{"call":{"api":"__exception__","arguments":{"exception":{"address":"0x3c1546","exception_code":"0xc000001d","instruction_r":"0f 3f 07 0b 85 db 0f 94 45 e7 5b eb 38 8b 45 ec","module":"Win32.DarkTequila.exe","offset":5446,"symbol":"win32+0x1546"},"registers":{"eax":1,"ebp":2751900,"ebx":0,"ecx":2028644408,"edi":1971160937,"edx":0,"esi":7155388,"esp":2751844},"stacktrace":"win32+0x1023 @ 0x3c1023\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"},"category":"__notification__","flags":{},"raw":["stacktrace"],"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},"cid":211,"pid":2976,"type":"call"},{"call":{"api":"__exception__","arguments":{"exception":{"address":"0x3c12ad","exception_code":"0x80000004","instruction":"mov dword ptr [ebp + 0xfffffffc], 0xfffffffe","instruction_r":"c7 45 fc fe ff ff ff b8 01 00 00 00 8b 4d f0 64","module":"Win32.DarkTequila.exe","offset":4781,"symbol":"win32+0x12ad"},"registers":{"eax":2751884,"ebp":2751900,"ebx":0,"ecx":2028644408,"edi":1971160937,"edx":2130566132,"esi":7155388,"esp":2751860},"stacktrace":"win32+0x108c @ 0x3c108c\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"},"category":"__notification__","flags":{},"raw":["stacktrace"],"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},"cid":259,"pid":2976,"type":"call"},{"call":{"api":"__exception__","arguments":{"exception":{"address":"0x3c121d","exception_code":"0x80000003","instruction":"rol byte ptr [ebx + 0x45c702c0], -4","instruction_r":"c0 83 c0 02 c7 45 fc fe ff ff ff b8 01 00 00 00","module":"Win32.DarkTequila.exe","offset":4637,"symbol":"win32+0x121d"},"registers":{"eax":2751884,"ebp":2751900,"ebx":0,"ecx":2026067364,"edi":1971160937,"edx":844648,"esi":7155388,"esp":2751860},"stacktrace":"win32+0x10b9 @ 0x3c10b9\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"},"category":"__notification__","flags":{},"raw":["stacktrace"],"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},"cid":266,"pid":2976,"type":"call"}],"name":"raises_exception","references":[],"severity":1,"ttp":{}},{"description":"Allocates read-write-execute memory (usually to unpack itself)","families":[],"markcount":4,"marks":[{"call":{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x00390000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":64,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},"cid":256,"pid":2976,"type":"call"},{"call":{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x10001000","heap_dep_bypass":1,"length":40960,"process_handle":"0xffffffff","process_identifier":2976,"protection":64,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},"cid":1273,"pid":2976,"type":"call"},{"call":{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x1000b000","heap_dep_bypass":1,"length":704512,"process_handle":"0xffffffff","process_identifier":2976,"protection":64,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},"cid":1274,"pid":2976,"type":"call"},{"call":{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000d90000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":64,"region_size":65536,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},"cid":201,"pid":1952,"type":"call"}],"name":"allocates_rwx","references":[],"severity":2,"ttp":{}},{"description":"Creates executable files on the filesystem","families":[],"markcount":1,"marks":[{"category":"file","description":null,"ioc":"c:\\Windows\\csrss.dll","type":"ioc"}],"name":"creates_exe","references":[],"severity":2,"ttp":{"T1129":{"long":"The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API.","short":"Execution through Module Load"}}},{"description":"Creates a service","families":[],"markcount":1,"marks":[{"call":{"api":"CreateServiceA","arguments":{"desired_access":983551,"display_name":"Windows Client Server Runtime Subsystem","error_control":0,"filepath":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\%SystemRoot%\\system32\\svchost.exe -k Wcsrss","filepath_r":"%SystemRoot%\\system32\\svchost.exe -k Wcsrss","password":"","service_handle":"0x006deca0","service_manager_handle":"0x006dede0","service_name":"WindowsClientServerRunTimeSubsystem","service_start_name":"","service_type":16,"start_type":2},"category":"services","flags":{},"return_value":7204000,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},"cid":1378,"pid":2976,"type":"call"}],"name":"creates_service","references":[],"severity":2,"ttp":{"T1031":{"long":"Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg.","short":"Modify Existing Service"}}},{"description":"The binary likely contains encrypted or compressed data indicative of a packer","families":[],"markcount":2,"marks":[{"description":"A section with a high entropy has been found","entropy":7.999643147892846,"section":{"entropy":7.999643147892846,"name":"UPX1","size_of_data":"0x000d5800","virtual_address":"0x0000d000","virtual_size":"0x000d6000"},"type":"generic"},{"description":"Overall entropy of this PE file is high","entropy":0.9976635514018691,"type":"generic"}],"name":"packer_entropy","references":["http://www.forensickb.com/2013/03/file-entropy-explained.html","http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"],"severity":2,"ttp":{"T1045":{"long":"Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.","short":"Software Packing"}}},{"description":"Checks for the Locally Unique Identifier on the system for a suspicious privilege","families":[],"markcount":4,"marks":[{"call":{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeDebugPrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},"cid":194,"pid":2976,"type":"call"},{"call":{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeSecurityPrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},"cid":1417,"pid":2976,"type":"call"},{"call":{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeRestorePrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},"cid":1419,"pid":2976,"type":"call"},{"call":{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeTakeOwnershipPrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},"cid":1421,"pid":2976,"type":"call"}],"name":"privilege_luid_check","references":[],"severity":2,"ttp":{}},{"description":"The executable is compressed using UPX","families":[],"markcount":2,"marks":[{"description":"Section name indicates UPX","section":"UPX0","type":"generic"},{"description":"Section name indicates UPX","section":"UPX1","type":"generic"}],"name":"packer_upx","references":[],"severity":2,"ttp":{"T1045":{"long":"Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.","short":"Software Packing"}}},{"description":"Checks for the presence of known windows from debuggers and forensic tools","families":[],"markcount":4,"marks":[{"call":{"api":"FindWindowA","arguments":{"class_name":"OLLYDBG","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},"cid":248,"pid":2976,"type":"call"},{"call":{"api":"FindWindowA","arguments":{"class_name":"WinDbgFrameClass","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},"cid":249,"pid":2976,"type":"call"},{"call":{"api":"FindWindowA","arguments":{"class_name":"PROCMON_WINDOW_CLASS","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},"cid":250,"pid":2976,"type":"call"},{"call":{"api":"FindWindowA","arguments":{"class_name":"PROCEXPL","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},"cid":251,"pid":2976,"type":"call"}],"name":"antidbg_windows","references":[],"severity":3,"ttp":{"T1057":{"long":"Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.","short":"Process Discovery"}}},{"description":"Installs itself for autorun at Windows startup","families":[],"markcount":2,"marks":[{"service_name":"WindowsClientServerRunTimeSubsystem","service_path":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\%SystemRoot%\\system32\\svchost.exe -k Wcsrss","type":"generic"},{"reg_key":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","reg_value":"%SystemRoot%\\csrss.dll","type":"generic"}],"name":"persistence_autorun","references":[],"severity":3,"ttp":{"T1053":{"long":"Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system.","short":"Scheduled Task"},"T1060":{"long":"Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.","short":"Registry Run Keys / Startup Folder"}}},{"description":"Detects VMWare through the in instruction feature","families":[],"markcount":1,"marks":[{"call":{"api":"__exception__","arguments":{"exception":{"address":"0x3c1602","exception_code":"0xc0000096","instruction":"in eax, dx","instruction_r":"ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45","module":"Win32.DarkTequila.exe","offset":5634,"symbol":"win32+0x1602"},"registers":{"eax":1447909480,"ebp":2751900,"ebx":0,"ecx":10,"edi":1971160937,"edx":22104,"esi":7155388,"esp":2751844},"stacktrace":"win32+0x1014 @ 0x3c1014\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"},"category":"__notification__","flags":{},"raw":["stacktrace"],"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},"cid":210,"pid":2976,"type":"call"}],"name":"antivm_vmware_in_instruction","references":[],"severity":3,"ttp":{}},{"description":"File has been identified by 62 AntiVirus engines on VirusTotal as malicious","families":[],"markcount":62,"marks":[{"category":"Bkav","description":null,"ioc":"W32.AIDetectVM.malware2","type":"ioc"},{"category":"Elastic","description":null,"ioc":"malicious (high confidence)","type":"ioc"},{"category":"Cynet","description":null,"ioc":"Malicious (score: 100)","type":"ioc"},{"category":"FireEye","description":null,"ioc":"Generic.mg.9fbdc5eca123e815","type":"ioc"},{"category":"CAT-QuickHeal","description":null,"ioc":"Trojan.Dynamer.8198","type":"ioc"},{"category":"McAfee","description":null,"ioc":"GenericRXAA-FA!9FBDC5ECA123","type":"ioc"},{"category":"Cylance","description":null,"ioc":"Unsafe","type":"ioc"},{"category":"Zillya","description":null,"ioc":"Trojan.Kryptik.Win32.820724","type":"ioc"},{"category":"Sangfor","description":null,"ioc":"Malware","type":"ioc"},{"category":"K7AntiVirus","description":null,"ioc":"Trojan ( 0004a2ea1 )","type":"ioc"},{"category":"Alibaba","description":null,"ioc":"Worm:Win32/DarkTequila.7550016f","type":"ioc"},{"category":"K7GW","description":null,"ioc":"Trojan ( 0004a2ea1 )","type":"ioc"},{"category":"Cybereason","description":null,"ioc":"malicious.ca123e","type":"ioc"},{"category":"Arcabit","description":null,"ioc":"Trojan.Graftor.D1F955","type":"ioc"},{"category":"TrendMicro","description":null,"ioc":"TSPY_DARKTEQUILA.A","type":"ioc"},{"category":"Cyren","description":null,"ioc":"W32/S-91f5258d!Eldorado","type":"ioc"},{"category":"Symantec","description":null,"ioc":"Backdoor.DarkTeq","type":"ioc"},{"category":"TotalDefense","description":null,"ioc":"Win32/Bancos_i","type":"ioc"},{"category":"APEX","description":null,"ioc":"Malicious","type":"ioc"},{"category":"Avast","description":null,"ioc":"Win32:Malware-gen","type":"ioc"},{"category":"Kaspersky","description":null,"ioc":"Trojan.Win32.DarkTequila.d","type":"ioc"},{"category":"BitDefender","description":null,"ioc":"Gen:Variant.Graftor.129365","type":"ioc"},{"category":"NANO-Antivirus","description":null,"ioc":"Trojan.Win32.Dwn.dyfxok","type":"ioc"},{"category":"Paloalto","description":null,"ioc":"generic.ml","type":"ioc"},{"category":"MicroWorld-eScan","description":null,"ioc":"Gen:Variant.Graftor.129365","type":"ioc"},{"category":"Tencent","description":null,"ioc":"Malware.Win32.Gencirc.10b3f5ed","type":"ioc"},{"category":"Ad-Aware","description":null,"ioc":"Gen:Variant.Graftor.129365","type":"ioc"},{"category":"Emsisoft","description":null,"ioc":"Gen:Variant.Graftor.129365 (B)","type":"ioc"},{"category":"Comodo","description":null,"ioc":"TrojWare.Win32.Crypt.EBT@611gnb","type":"ioc"},{"category":"F-Secure","description":null,"ioc":"Trojan.TR/Crypt.XPACK.Gen3","type":"ioc"},{"category":"DrWeb","description":null,"ioc":"Trojan.DownLoader17.30288","type":"ioc"},{"category":"VIPRE","description":null,"ioc":"Trojan.Win32.Generic.pak!cobra","type":"ioc"},{"category":"Invincea","description":null,"ioc":"Mal/Generic-R + W32/Crastic-A","type":"ioc"},{"category":"McAfee-GW-Edition","description":null,"ioc":"BehavesLike.Win32.Generic.cc","type":"ioc"},{"category":"Sophos","description":null,"ioc":"W32/Crastic-A","type":"ioc"},{"category":"SentinelOne","description":null,"ioc":"Static AI - Suspicious PE","type":"ioc"},{"category":"Jiangmin","description":null,"ioc":"Variant.Strictor.h","type":"ioc"},{"category":"Webroot","description":null,"ioc":"W32.Trojan.Gen","type":"ioc"},{"category":"Avira","description":null,"ioc":"TR/Crypt.XPACK.Gen3","type":"ioc"},{"category":"MAX","description":null,"ioc":"malware (ai score=100)","type":"ioc"},{"category":"Antiy-AVL","description":null,"ioc":"Trojan/Win32.SGeneric","type":"ioc"},{"category":"Gridinsoft","description":null,"ioc":"Worm.Win32.Mydoom.ka!i","type":"ioc"},{"category":"Microsoft","description":null,"ioc":"Worm:Win32/Crastic!rfn","type":"ioc"},{"category":"AegisLab","description":null,"ioc":"Trojan.Win32.DarkTequila.trya","type":"ioc"},{"category":"ZoneAlarm","description":null,"ioc":"Trojan.Win32.DarkTequila.d","type":"ioc"},{"category":"GData","description":null,"ioc":"Gen:Variant.Graftor.129365","type":"ioc"},{"category":"AhnLab-V3","description":null,"ioc":"Trojan/Win32.HDC.C138160","type":"ioc"},{"category":"Acronis","description":null,"ioc":"suspicious","type":"ioc"},{"category":"BitDefenderTheta","description":null,"ioc":"AI:Packer.519AA5961F","type":"ioc"},{"category":"ALYac","description":null,"ioc":"Trojan.Agent.DarkTequila","type":"ioc"}],"name":"antivirus_virustotal","references":[],"severity":6,"ttp":{}}],"static":{"imported_dll_count":2,"keys":[],"pdb_path":null,"pe_exports":[],"pe_imphash":"fc785ac8507eb2f8e2af81f89b4cb6fd","pe_imports":[{"dll":"KERNEL32.DLL","imports":[{"address":"0x4e3568","name":"LoadLibraryA"},{"address":"0x4e356c","name":"GetProcAddress"},{"address":"0x4e3570","name":"VirtualProtect"},{"address":"0x4e3574","name":"VirtualAlloc"},{"address":"0x4e3578","name":"VirtualFree"},{"address":"0x4e357c","name":"ExitProcess"}]},{"dll":"msvcrt.dll","imports":[{"address":"0x4e3584","name":"free"}]}],"pe_resources":[{"filetype":"GLS_BINARY_LSB_FIRST","language":"LANG_ENGLISH","name":"RT_ICON","offset":"0x000e33dc","size":"0x00000128","sublanguage":"SUBLANG_ENGLISH_US"},{"filetype":"GLS_BINARY_LSB_FIRST","language":"LANG_ENGLISH","name":"RT_ICON","offset":"0x000e33dc","size":"0x00000128","sublanguage":"SUBLANG_ENGLISH_US"},{"filetype":"data","language":"LANG_ENGLISH","name":"RT_GROUP_ICON","offset":"0x000e3508","size":"0x00000022","sublanguage":"SUBLANG_ENGLISH_US"}],"pe_sections":[{"entropy":0.0,"name":"UPX0","size_of_data":"0x00000000","virtual_address":"0x00001000","virtual_size":"0x0000c000"},{"entropy":7.999643147892846,"name":"UPX1","size_of_data":"0x000d5800","virtual_address":"0x0000d000","virtual_size":"0x000d6000"},{"entropy":2.6819136088621818,"name":".rsrc","size_of_data":"0x00000800","virtual_address":"0x000e3000","virtual_size":"0x00001000"}],"pe_timestamp":"1999-12-05 05:15:29","pe_versioninfo":[],"peid_signatures":["UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser"],"signature":[]},"strings":["!This program cannot be run in DOS mode.","$]q\\<-",";i8,?}jWI&","\u001fR=.w}","F\",Og1g","Ei;<6<","d[?Q^\u001f","@EYzz:L","8?U):Dp","rUxS2\\","mS*<[S&","^AhYQ+","DW!I;J/","V%b,kT","O8\u001f`l ","kAW!k}","_@D<3q/","\\p5TV:\u001fd","Gj@@GEX",":aZq}hW","[+*X\\5","$QnAU$","v<%*$V","C&9q/r","\u001fZ{]F;","U6&eb{","MvGyZ:oL","pD1;Dm"," pLmxMp",">EUH&J","Y^1egN",">^<Md=","*tO6v1,","\\0mWyx","Ng}>\\t","18@j -Z","p2eRXD\"",")66'mV","t#e(u0+","j;\\zZT","27Mi#_","i'$K'f","KDY+fr","q[iH4Q","rC{;IG","@Al#7<","iZ>>z@","C=|e!1a","0g*TU4","l{LM]&M/*Xh","Gpf{nm","dR'c'[","=GtKHls","HJytA]Z","bQp+c\"","`Ob\"+T","mOav1.","%Tn`S;O","b9EN'P@","k^\\w2km",",^Ef'1","Q+{RZX:","#Mq~xLm","\\fO;GXf-","6V,;E4","Vu?HU'","x4{;n,","8ZetN6&","7$8)dI","UFX\"M+","6\\%xLQ","Jq=+Lc_","95[\\}>","^_=/6{","Cf/\\PX",",c2Mkt.f","j(q5Z*","nnc_rp["," 8b6G=#","\u001fvAW;qK","i|e%8Ef","T:t9@S","0OG8#*","AGF ]/","^Wv+Om#","kRSNzA|","rhaIIM",";E0Ow4","ckt`8/","oVTmk&","'fw>z0","@vn\"Q;J","059az.","0[s19b","7}J#&'","!.4>G%","#reb;(","9LW\u001fFG","4k;8qf","N!Acxz","v.]Q\u001f7_","H\"-5lV/","[]rc\\9","F)HYQ9V","j?nn AY","wt5a.H","ys]cC:","Ck\"fshh","la@\\W`","5(4Iw#","=WE&hZ;2","Nes!kCJ/","WqgM+>x4",",fcxi~","0H0xy=t","<dTbmx","MbR`(\"`","229.]cwG","^P-d.lj","J2:w;G,#K&","9W=($H","Q\u001fZu]{s","v'0to{p&","TRG0oe","]L(L%[","%d[2QU",":(k!_W","3H9&&^","VH+(v|n",">b{\"26G","Mp1El/Y","a>*[d8","-&VJG0O}","X'u[%n","~ E.@w","E(8kFg","YQ7\u001fKg","6@J{d[k","Fi=zY,","Hh-}7G","'#Z*i}","*}hj%/","ZC+s3L","{m?K5m,_/","G ;}HE","egyF|=","`Kx<Y/","&TJU97xfp$4,","Td=!beO","7FLec5A","=g-HEp","uNDy(|(","=}L{p5","buqCYLW]","Pi*5w=","ISnD`k]","ouN$muE(","]z+,!z5","r'\u001f]Pa<","+v;m&n","Udx\\[U","8M\"o>t","h.I\")R","^!<mE@","-Q_Har","zat''d"," 'h>^}","JBR[0TT@","g\"a6HI","@Yb9nkj","i.^m|+","jrym+:Ly9","IEY40xS","&[e\u001f_}:","ol VvL","ae:kv|[]!","4#x-&4","_+aYc]N","q`i@BJ","Nq4w3u","N);];'_]X^","AL@EOOB","e.Lm\\6","mw^bYU","GiWuEj(*Oe","D%u0 g","]8J*gw","Gf1g.q","Fs/=^&","aO7v57","6K&M.*!","R|7Zmh","}C<<J3k",".Qz55Ey","o3w`K+d","cy55v*Y+","T_(J~q","H%* [g","$IT.eBt","69AE'%","G~0v,_HB0","L44BM\"","PL1WpB8","=uea^D","N1v$f*","U6iIE%","r8F<fk'","G6g2|Q","AE:\\Qs","dU.F?80","1#An}\\Q","!+}S-S","iIL)_Q","N2S&(h","w\\Y-W&","JOM+*s","_PF_Yj",")2!l0S4","HV05C,z","5fL7(Z","xy.,S6","t*Zkcz\"X","\u001f| rn%","=%J0p\u001f","?Vt}>J",">\u001fpXZ'",")zj4/#","Db.}!Z","#O4IVf","C7-86.","3KC|PY","Lz: N.","b#w/|.","NY/NV%V","esnHb:s","t[5T}V)e","=uYHfz","WGlJOc","4sf}.w/}","cI9J9F,-","uf|z/h","v(j6lq","E:<J9p",";Hzb+]","Nk},f3;","s4\u001faxx<","{ IX( ","A*AzLS","<uOAZ)X","2;t`?\u001f","$C\"$eQ","xa0a.s","^#zIG:","cd0-XZ","2P+& L3","K&t7=|uDvZP","!cOdkD","IjYWVZ"," h@+e\u001f","-HLP)LX","))U ,R","yDfcn3aFA",")[Ld\u001fj","i=Qm[/","qbkLm0R)","3z\u001f)K?","OB*rH$","K#BK`;b!","`s]Q*(","]O!i<8","@\\|g7O,",".To.hTI","]i.i`-<","5x\\tgrjj","f>9\\V9","TY3gv@X","P?H]6e2['` ","\\i%US0","N[ss$U","yiVD\u001fG","%ySCO?r","2k`mG/","uu4:xwS","fJ\\Nf+{","\u001fo`].9","yX1#0p","]g6DIzr3","B()-,M]$!","Vs\\Qi#%","R&bmV\u001f'","A\\7P%S","zYK0K^","J;-Od3","RZ~CNG","hjwE2#7l<","/eu+n ","! YsP+","\"64^Sr","cv\\wQ0","+)'[f;%","Lqm^Bd","ZwIjA^","YL7V!M{","ue:}Rk6","JV~OgL","vTvok_","lw9/nf","4E op3","]Hilt1","6B!zB<",">Rk3/L","-v8\" s;j","x@#+^0","}P.(t%\\","PL|a.h","n]k({=","X#0z@z","BE~\"8W",">9jA0i","mOQ)!*","a$~K\\]","\u001f9oC)&9","8H+5,**","^,r`8j","7sX[=JsJ","k+|T7+7","JSU9TD-","s\\%c$E","l<VpYb","!iG9d>","zK*P44yO","-?:9+)%","TdKEe+","ydr<{C&'","7@E/x_4","hq!?eu","!@>L,>","a2<ni`h9","@(Ijgr","}{[=yYTx","\"[j,!9",">QD4/,]","AY7SMF","ax^EkuR5","{d!XW:","2,LhnK","LcTz{B","54Jfxy","'\u001fw\\[t","W4yWgD","Y0&+ 6.","^hIi26N","v9}X,<S","h\u001fUdJ<","[)x}9L","UU5\\EO","hmY(%N","6t3-|K","#Z{JMw","WC6/GHr;1","yF,h&Z","1`OT\\+@q","J~w{Bs","|\"^_uQ","3v\\/AX","|3\\Ad=","lucPPL",")%5O p","L+NI>C","o*tX+B","ayL.F%","OfO&wI",",VkWUuUX#3;*}","q\"J6`|",">!;vyB","~.O\"6/","=E[u<j","PQU'rh","\u001f$9fKy","O\\*>#1i","vr!B\\O8?","8GHv{S","d\u001fD'^'$","yj\\DD_","o@Ckgx","_`psm`",">E8)3k","a|:gwsX","#Pp8}R","Su0t:-$~","t{}S$HeM","VFbi_;y","`'7_\\v{s","~Xq!0>0","n,$FqxbAS","B~9Q-\\a","Qj=;@g","uL5Tw \u001f",";M:/+6^","E|g2Na","kS,pDC","p@O!'<_","jN^CK|Qq","ot'J<~{","j#73*/Q","P<j1hU","o.44uw","6LXg\"803","NZVvOg","\\k`z 5","}=BWkd}","rn5D[*","xg5)HOt","-3l8uM","~'8</W","4eu\\eK","C!wz;*","KWqvu?N","D Lcb3V","S-\\r28","`n<&A~","(4f<mM","e%>hos","`M-crYyj","72QG-W","}'efeIJ","6\\0G|V","4%}B^Y","y>NA!Lg",":s'Kq,Jk","dn9p43","p-{PGl","(?s,]_","\"h&VC;N","7;qqEy","=b[4!~",">-Q\u001fTW","V$@m2We^","'X8/N6K","v892Vd~|","3;^pRW","2;SsRdV","Dl8<'z",";j]zz1"," Z&'}*","~KMRc%","PJ0DOp",";)[J Q","WS7EE=","{~={f}","[8]MbHrW","d.5{`Y","p~~ItuV","9V+(vp","s*>EkY",";-.>(&","xWk&Co","\\#[gV4:","=]0ZCi*h","4Y;1|#","^U;gW|","n}DV.D",",#+%$1","%IC9-b","ncdvAJ","oT8wy}","R8.n/U","O)XvSL","Zov[;1","hw([cI","'&>nT'+","<LXoS'","z>{gY`","0e;F|*{","XW=6#S","g*X<*0","/kDN?~","4\u001f5Ti-}","&(AOSY*u/","v}ynf:w","l0P#-z",".]O>tH","7e7!AZF","o/`}/W\"?j\u001f","J.+Q7*U1","I|ZK*P'","Zph1Ej:I","(yoi)LP","XYl6Ew","{fa^Q0","T]x(f9i","[,'YQH2","lKxcaI","T>RZ\\8fW",",iMJM*","NE?:hY","qXb=)<)?","oI;Y(>","!@cb1W","3F, >4)","L^;JG*6","ik,\\+0"," ?/-l@","HEV;$`-",",t^9vLdt","]O01Zg","n9`3>j","F4SPN,","@y\u001fo&C","<1:N.*","\u001f4S:HM","\u001f_*eE#","e,mzv4WQd","S-j*|0","P?h{e\\^","^{gdb3",";BRZ\\:2-\u001f","^*]r;<","<w2tx[ZK","B/4&=>V","C@5QR*","{O&O>0","Aa5c}^","!.iY6fWU","+PF3V,","Ad\"S6c","txu6<h#",";oDaPZA",";KYCUj","6*!he0z","`uO\">n(4","!K&asy","HuL)=,","j9r%.F?","\\;'MG$",",Zb^&8","Qsg<oQMC","TP*4OTe","mJGvmx1/","VO|l(G","Y!V(gD","K`i$F,h","DrnG!-","~W,UZG","|sOZpJ","UF*mom","Mc`@#\"","?{+=(b","y8Qh/o","$OdNkB","5N:]#v","))F#1P","r[jR^Qv","c*(<Py6","S<p\"t/","8X27\u001fA","IUlMlV@",",+iP=C","4>;G[#","06h<sg","9|=4CR'B0","A3<'5|","-!}:WEK","z8YhM>","lLOHAK;7","=_H@c+","/hs:l`'",">dKA`!","TfxY#qT","Xx_\"Z!","Wqs\\3 ","h#[),M","}K\\RG0","^__%Av",")M~lw|k","I4J73b","4P*7>.'","y)h{Hk","\u001fL6 t\\","2.hN+U8&p","r^u|9?","K0MP.V","!h_#q}ez","A8fp; ","HnDb`a0","j]jBp:","4``[;0","'Gqd\\f","dE(7k]","s7I~'Ip","=}h\"IhI","DI0*?U","}a/ 9\u001f","[:zc_E(","-{x?N~"," '{9;v-e","~g7lGz0","z6*[w<","%>E9|]gi","t_H}XT","W-K[oM","xq(jR|3D)","i0Byf=","4Su-t'",".h?5UF","n,[b6i","\u001f8}/J/","$6JVh6","\\mgr-u","M]9\\HB?","e*V{\"$","F`517f\u001f!)","7Sm(DF","vNaZCV","vjy<{$","o,4>\u001f]","Pw2~<6A","%7mxX57","4]*0D,\u001f","\"LR19}",".`<)&N.","$Qp.Lj","E|fk&,;","T !Vom","'G/`|M;","PEId_t<!","7U.g|wk","M@`K~d","fCwv0k","w+A}=[","Cg.znr","MnoEGB","[F.2wp","7Ws T:","?yN|(!","YJ3Jrrli-|","b4#Y/|","-cIrC#;","5mEF-Y_","~BPaMNAq=","}TG\u001fNE","-L>wN%g~","7zS1o~YU$W","iM,~*Q[/="," T qiXb#","Oj!\u001fD)","(!UFs{","4d]z.w","4`@YB'","zG>2i)","J{341@","Y'{WIQ2","wlVJ>j","9X>q1|","q[LYsw","aYFw6B}","u',r\"@Nh}q","}jc;]T","2^JIcp","nK+ Jw","|(d%0%","+/km/y",",62t9x","P;zR j","~XMsY\u001f","RO\\\"3`","QX;^6*nt","\"vd-2!",";N6D\"5","C)<'9W","g;\"VW ",";nX4JEb","t=D*1 ","EDXcWtL","$n!uep","tVvzC\"","WH[wL4","d:QOU>x@","o#/w#Z-","/uulk\"NI","=nX/h{p^r","+=QZOD","%R4vJ-r","{);z5V\"","?YIb<7","<rM6sFv","^BbepS","@;CJzW","x?)OSC\"WY","YW}~7%",", WnrEcj","l^XZYAUj","\\/'.4p3","Z-'}~a","~pHe;T","SfZM:c<","&\"|1&v","=ib\u001fzA;Y",">3,/lTj2","m`aShE","ISH#MU","wD ozv3pL","[?'jMi~","\\,Lr.LW","C)k;/\"","r_II34","Zs %Gi","{qmeRz","{V8F\"5","Js[w~q'X","=oUD%K","w7kUHL9","+RfrJ@$7","cKU/L[","?-K!9\"k","1!9F8{","sYHE4X1","heS>h;","}`O=,!z","4!@[|~V7=:","@ob \\*","%u&k+N",":b<Cjzb","w<X&mu","<$4v).","@^hwY!0","kOw!6NR",",)<uPq","1Ewts}","A5#V0C","e_dv/sG)1\"",".%I}=)","q6Py\"~)","I5Z^#7","433X5YrZ","c_yg8#as","vx6`B$","}8E\\_M","da4.+e","D3']q-|","_<XwLh0","|DYshu","**75RfX","3LnBL_","\u001fDav]r","W(o*SE","[i|k>=7","5|avPc","X\\A}r %%","|d.tZ9",",+Qj=1w","9%o\u001fzD","=kf-+G",",dy#P&","|k(6XdB","IP9Ivx","_XCy.e","8Pw?md","#D5bK]\u001f>","h\"^^#u","/!Nn+m","z!\\R>E","'ux\\=[#","UT-$5-","l~{U<k","QaJp:_","x2t4Cm^","&:Ye=\\","mSH5X+ZJ","=UDj\" ","3_2QB,T","c}b;]tb","v_93?g","5<r(iA","uxH*S;",";KcA$]s","B\\{#g^>j","di6'?!0","x40oU4%","TeKmB,","`aq\\kv","y\";QM3","|d-;+'c","<G\u001f\u001fXX",">O&3yL4","d-:aASPR\"","F<{y;(","|hQ@$?","vzn_3=","v7yN!&","9EmRH^xp! O","s-G_'k@OW","gdc#iP|","*KLzi/","I]O.|Dxn2","En*6_D","~x%A57w"," kL=$a\\","?D8J<f","`W_)40","E8n+PhH","f!<|W%","cWwnz ","5$:6T}","TJzTvH","{=&lC1","D99Mc^","JQ =cJc","3=|8c1w","2Y+5?H","Y^smOS","F6m-b=","6rtadW","S\\{kvQ","fDk0Mz","a_![9y","tZ<%)O","K%z'-U","jW`n-\u001f","FE:H!_","o8wb34'b","p6] CX","'mxf. Z","J9`Y;\"","^3a=2.","5yLUS)\\","Me8lRx",".iT\"yj","F}=96n","B|2iPu","V 2?I6","K4_Trv",">t<9$P","7!|#1w2","i5=<qn","B9,w=?","d8WC+H","E#=.)C","L^aEk.T;",",E/jS3","6nZucm\"","l4jmrj","+BT?'4","T5m *q1","4$(%<]4?L",",Sac]H","F|iR6}Znq","d\"6 zB","\u001f^8d$Lc^2>","A U|(]n","`h>\"Oe\"","}oBbj+","&)&4&s","DX+3^:n","xg&lTV","}]r7s8?","D{ Ifbv","y`FBQ9","pLr-vJL!}T","/&8/`[","`pU6[Y~[yX7","PK+l-\"","\u001fjm\u001frTA","lL>Tu/h","x.~Y~g","IZ{>iG","\"_9zx_","-R?\\BYL","oK{rJL","kF(ntd","vjb(.z_","df2ap3","y>GeBD","^zALa4","\u001f|1$&9W","89++vd","'x{~?h9","pbys6Y7","B2'^on`","]eM2go","+Oj@n;","/WYg0m","EqKiNm7","?>y1E+","|\".<9^","~wQ$aAP","+r\"RDo","|Ikox@","=\"Zgg>","}#/>lD","_D4Szs","8//HYx","^zt.<u",";{qa*oM","0Wa[=B","=F8=ymt\\ 7","/:\"u`E","ig\u001fGL$w","%l}\\5GF\u001f","3QZA!G","d<NvEQ","m%TDBp","P+>:,s","cn5oGz","m/JMYYw ",";(|-`S9","WDgP3\\","S- groW","S^42YM","D>]5=b{","s+h-WF!","?Fl& ~}","jb~rP ","PY`J%C","Y,~,mNQ","@iQ[x>(Z","#\"<KH@","!qh<& ","9)ERV{R","dO@\"&+","GNYng!","g5_Xh3H","T\"v80C ","t@lk@4Z","u\u001f\"0!+","&\\$4WT\"","[hlcFr","2ji?\"'","8?;<bo ","3?tG'#","qKVdd<","QK,M0oQ)","uJ:d<3","0*li4=",">d\\Xk!","VhYwMG","\\n|%T\"","\u001fPkT:=}","~rDXfI",":3-~O/{","'}!TK0",";rb\"8N","@V$3XAA{"," @}++\"","'q\"3Ip","9G=~HO","^6?!:8","h#@Ke<",">?Y~ZXig","T6sc'>","uH3TJ,","#iO\"T-&","=ln0 v`","7yBQclg}",",ys!47",":)5&N\\","6)#G1=","1);C 0","iKt0G=\\","/rZ..t(}","i1bj!v","!CGcWn","3Y SwH5",")%i3G\\R","3=H%-d","{(G(20xx{","l&o\u001f*~;",",Z)%kLi","]n%pqD",">A-j^F","N|u#LjWZ","fSSyjF","vO3qh(S","~3_`k[=6","uV_Xff","c@o&FE","IZW(Jq","n :e_Z","}o)~iD","8K>8b.!","96&\\NN","!\\sMV)","7hM=up","1ch/<*","&SOGD7<]","(#O_=OBCaex=","jZA'-9","@X:r?6"," z>$0S","d*+'c)","^sF_V7VFg","U.Rj(o","ff:IZ&E|=o:%","@6=cp$","DAu7~\"7",">>KYv9S","&/^,`|{",")oaq#=","C[U\"9_P","vQO75H<","&8gYDP","rzX7]Oo","X'?,Yp","?i{G\\^","zz$iK[","k|~)\u001fdxh","JO39k\\","9\"(*Y:","5Hlb7E","aZ()tR~","l)sfo\"","\"}K-TF","F|~nuI","PT'|+>","!^n#d^","E}>S>0n","A=#b,6","[f(K3X<","AGq_WX","l~F%Z#W","}2VzlX","<%w7k/","1h|4APO","'bSb;7","N*@tHXq(","kn@SkX","5Auk{:","U\\{{R<6","w8(@p0","CiO>tD","{_|2X;","n1}0gV","]2'n{JV`","ot)uz)","$MDu6&","A\"9y `:","vR-,:ZN","(/.(z12","Z}h!-TI",";[BG|c\u001f3l","1@1iU_","T\"aXLl~","]5GsgOm","$m@kQ*E","b`IawA","\\!K&-Q[6",";QMY;P","5T%uZhUVd","(7m@4Ux","BX^7Hs","<<Dd`wl\\","DN>\u001fS;","$e vn\"s","&M~&(c","%xSg!&","96$)r0","z nDuT","I;vD^c","8?-}|h}","X`\u001fDdH5k","I)@u:b","uo!INN","c)uV=ZuSqZ","E<vuk'","c<9tv1P","n5>)_&","Xc|}Ja","g Bs},","kY\\P3jUK","(P2AAP@","Zp*ut;!X","@GX|)E","/wWqjt","1 8!{B\u001f?$","n(Pvb[[","R3t5u8","T7[]& =","j&&jf>","5+Nx|`","stPW,0","w^]`\\',","OKqJ y","+CL(u+","/VksQ>","LW|H560","W,a2iQM","(-XwA`","$cD]StJf","(LL~QE$","S:j.9~b","z&kKJ{?!","zO^PhT","2#y+>j?","V}F{O+","IcU0U-","0=k\",Q","\\76%S,U|","k{qyE|","QwqZo`","m\u001f7r_M","I2rP]b","(.|}<s","mb@3eT",".3Ek[v","`X~zA&","L3Q%2IkH","F1E\"F3-","-VHe!_\u001fr","ty3T{j","gC&D4A","1#}4k[","Fe>66N","}\\iD=D","j0SM3q&","y[v{Hg","*}`R@$","R`$u1y2 ","`:nn#p0","mL?8o'{","+A\u001fyAC0","-9Ex5\u001f","{2M.=eP",")hJy;BQz!","9^\u001f0K ","0OG&\"y","_J}PfuJ","BgCF.tR"," ,0iSQ","TeYn~w`y",")?I$(%","+?XrF3","u|G:F.","JQAS%M","2QU }(","yx6c]n2","B1|7E*f-A","{9k_mH","m{$3mo7","64#Yhq",";Z;h-w,BZ","@NY!c2D+?","=7C+o`","P'WMifq","&r>MCP","U9ziw>",".=~igz%","2MSbK[","6UdOh|LzRF","((@v]5",",oA1]CG","\u001f+W\u001f*Y","8`w+*S;","I&lc\">","EHb~t]>",",lJ{F<","_/jV@q","9T^S59t^","jZtY@Lu","2]%_r,","yv<\u001fllC","_gRcp`","Ifop)A8","HNqBS ","8=C1PUf","V]$~RR","U`U>} ","8/xg@%","ZY\u001fSi\u001f","kuzW7#;","KmXdnt","1\"n9Pt","y9?/,]","DH\u001fj4XwL","'F^}/CM","QO/~O6_","$4ot]0=","$*sV\\>","iI/yMq",":}J=1^","gzl)&^","`0Cbn!","c|w=6d","=u[_>X","[xs2.o7d","Y~B\u001fo]$","Hz74Jl",":qcj R","Xf<]7i","9,Em$<","Q:@8hp","w FtBGu","22\\k1V","Gp=Cc-","YI%bSz*","+Et1|M","5=g,Z`s4w.","/QJgf# #","j]k?6)","JDm@&%","Ytl\u001f:L","f'TI6^","0Y,w,v\\","m mV2d",":$4#O'","6}Xcy{","/VbEb{`","3&-\\s)D","sR.r[_2","PV[O}b",")NvC3?V","I65I.0","6xPx|e","3HP77-2Z",". M%rY","-nA]#R","S#r`<.#","an]RDw","B\\S8z4l","t\":R7c","+l1WIG","4Trch[","/ED:21:","/(Zhj\\d","xdNioq","%eY-6,vN{","~9\\UOA","@24N4U","I_$2 G","7gEZ\u001fT","2q'?DN","Sl<U?/J","F(zI|#8r","f&v>x`3m","xg8;\\w","Eg1\u001f]U([","[C?aAEN",">G@p?<","zJ/6*8G","Cji?~6x","/NN\\Jz","erI\u001fs{g","Wk=/X~","Ig%8h&N","6W ,i@\\","\u001fdoY6b","?I'(8c",";fS$.qR","1QQD&*.S;","{Fwp6P","\u001f.Q.x-'","XnmLe0","#L)m8V","b_>nM\\","aT\u001f`Is","B\u001fC\u001fJ;","Q!1Me[",";CE[YUr","&II$\u001f>H","QN1O\u001fd","$fBRM^A","0j=o\u001f\u001f8W","H#fUVl<2j","E7* 4V","G$pje-","]B7.,{","lI2qR\"","l~D\"-M","\\ (VUj","FlSZVyM","/9rm\u001fkw","d\"f?\u001f[","=j#Aqw","'*!&v:",")f'dv'(","h2vxntA","2fO\\#?","@JGg#G","GqIjx.","=7}%6j","dXt.s1b","T42JGlzU","NlX$Uat","8h'UtV","uQzx/2","dS],J'","6n(fF$","'(BzG_","nzMB+z0","RSj4]O","vat}hg","mc_[a5","N3k6Dkn","MDU\\7p)g","MrKeN\u001f","a&;s8@","Dsk+}}","`**-b0","OGcPC4","72gm@5","6omRC?c6","0107sh ","_C~k*K","vz}/]RNb","tu\\pP\\Kz",",;muvQ","HIFw<MK","3?c:/E_m","_~:x=\u001f>^","j5Aq2Q","iEC\"zT","Vc828T","~w[\u001fk#","rV=he7","'JX;\u001f0","RQ=t'>+Y","m\"dUBu[}{","Dd6~,*0","~Oz-v;",":8bC0^",":FH5\"g","cG\u001f4LA","\\OljvR","&)YC]W)","qHFhKCEH","e,|'_]","S^o<&Z}","RrIi$>XOb","_c$ ,@>I","\u001f7<7=5",":|GM\\i80","li!sDK","){yL0@'I1","|}NMpc","x~RO*G","CZR2sZZ","sf8-4w","!(WJRM#","dt^tM]X","5bJ2A\\","-n$&dka","b:*5E1","<Y#`?<","wL16~H","Fn6\"tk","ogLF'P","RVL`Vy","VmG<)tV","h+I2V7<1",",KWAOf","\"*|t0~","}8R|Ro#T","WG8*6^LxF","j-PIHr","+C}oCDSG","#\\|4%_","e ^og{","|6t'ZFX","\u001fr4cSE","C6Qo<q","Xz!du>","P(<F\"g.Q&","I2Y&v[",".+gx<%(N","b8?}.`V","l.V bh","H/} TJ","\u001f5:n)3T","UZ72+m","AFpU54","Q+:!%,","z/h\\;l|","},;fS<X\"","fW1EP_^","WnsOdy","2oC\"$e","&*6#/q",":[8v8n","9-`Ziw","s{=6N85","<5`\"]c","\\o%DyPL","Flz@S+Vg7","*3x7nO","`0;9{b","6k!EuH@tY","5Nj?]P","+]M,h9;","$g6>@I","/07OrO)",":qg!nSs","$.Gyzf","OQJ\\Gv","nP}I<E!f","&/hZ|p","#<~Wzr2b5b","DYrO=5K","U~TbpW","I@<k#EpQ","4Z|5V$","D);0$}","Vkt2WSxV\"H","|%}Yap","}B1}/X","I:l:3$","<MC)}a","2V3y\u001fQ","<^aQK\u001f^","G<=oLrG","!YByU.","?cv1Ed4","/+C8-ue","g&0y<%-4","STx-mB","epW\"bVm6",",;oNp)","u`OS3C~","yw/D@#","C{/KH2","CL8NQ5","Lute0X^","Y/QtDd'","yAzCHx","E?$>.\"","<f}+^f\"","L\"z>G~iG","=zLO< *.X#}","I\"S-pY\"","lCaa*p","p!$4zg","?/O0Rw","Czvc/{3","F]kYd ",":=W\u001f\u001fd","ykl &3","7~E]*.h","^]~SRg","L}$jEQ","&^3s.1","n<*;JW","gp^q3q","8K\\{Q5","o)3^e0","28{POn","z.2Od|;","h&)4;BbS","J=oF>O7","g-n5pl&","<+?_l8","P\\QoihPzo","'GrXn>","bis~Cq9","nIwmQ/mKv:","V>{onu","+v^}uU",";vJQdpD-","Gc[k\u001f3","iER4lc",".o0Z\\`","ki*XJaq","kPxDga'Gp]","cC-5|Q","CFC;WnvW","%OLGFl^","MlV/3T}K","\u001fz9m=w","_($_z)r","lJz,Fw","NLN|\u001fl'","!j&'F9","O_1UY~;`","-r_6HJv","b`q\\x\\dq","{h}\\a%",">~9W3J","ffV,6H","Y6(qJV","xsCx=U","_bq\u001fiq","mzEtq{","vD#o3K","TSilz\"a","<h HT","0hnj+g(","\u001f@;aBk","0KN'@ X","5frU7R","W2K?\\U","YTdo/-","J7yepb","8q-h-y","j`<z^(8","q}@DhHC$","F8!u$1-","q[nnO&J","Y<?^({","-<+qC(","k #U\\4h","|FN-/^","PDgbzL","FnB:W'","~v:Us&","$j]X:t","M)E7ZK0","7L{Si^H","T|QW5m","IJ^'A1R<","7cpF.#","thmuo)","tQ@1?\u001f","?3_\u001f.i/","(j9:-^","h,3pxp","UI\"^gE",")el=6Dl7",";U%}nQojL","%Lz4p+","m1d2xJ EO","^? CNt$","A-H`n#","qFaw$Q","&?8q)Y","bWI7.-","GSVW w","N`l~?E","\\^~rs{:",">{yN,L:m","w}QrU=D","chg1xI","xgi?kq","`%hx4d",")uj| |","lX=BXU","odzxo I","B`<qoM","J)zqoN","*Ix,93","kr~J-c","6hL[QTr","@^]mFP","Y'LflI","rCIAJh","+\\&zLbgNu","ilU=}L]","&I!qC@w","(|'zp[","A^^\\lV","Ye(36#8","(_5C+D","Ya\"pN#","gV[A=9","j{e S4","eiipak","-%OSY@","jBr\\a~","f,MF*S","t*K6X]","KdBA&'","q7#AN+",">c:BTV[",",o$#s9","it9\\PST","DQY>3G<","tSW\"6\u001f","?+uN~;o","><^]+w","egi+fU","-@M^Nt","bK'nZX","?p<+=hZ","?96j[Eh","ttYo%$","&9}_hm'x","k4z7#8","p:->%[","e#B@idEo",".o&~Fh}XSCK","]IV`KQ/[","~eC(/{d","\\Gx:*i.","-\\/_2f>","8U0 ACJ","+ID%GWd7","zv2>N)","Up@xk17","t$t#t$l","D$t#D$h","D$t+D$\\",".)D$H)","s`)L$4","D$t+D$\\","\u001f)D$H)","9l$\\w_","XPTPSW","wwwwwww","KERNEL32.DLL","msvcrt.dll","LoadLibraryA","GetProcAddress","VirtualProtect","VirtualAlloc","VirtualFree","ExitProcess","IDI_MAIN_ICON"],"target":{"category":"file","file":{"crc32":"33F8BB85","md5":"9fbdc5eca123e81571e8966b9b4e4a1e","name":"Win32.DarkTequila.exe","path":"/home/jean/.cuckoo/storage/binaries/dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47","sha1":"7a5b7c5378e0afcc77098a87358e4f6a032d3b00","sha256":"dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47","sha512":"13aa9eb138a716ce9b5e90806c34b5b724a0be78bb747a50b28e9c48e6eed317ff0b46652dc1fcabb973d6a6a5e3a770eea85cfd8b5a0e723f58f4edce2bdd9e","size":877568,"ssdeep":null,"type":"PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed","urls":[],"yara":[{"meta":{"description":"(no description)"},"name":"loki","offsets":{"var1":[[91,0]]},"strings":["Y2Fubm90"]}]}},"virustotal":{"md5":"9fbdc5eca123e81571e8966b9b4e4a1e","normalized":["AIDetectVM","malware2","malicious","high confidence","score","Dynamer","GenericRXAA","Unsafe","Kryptik","DarkTequila","Graftor","TSPY","Eldorado","DarkTeq","Bancos","dyfxok","Gencirc","EBT@611gnb","XPACK","Gen3","DownLoader17","cobra","R + W32","Crastic","Static AI","Suspicious PE","Strictor","ai score=100","SGeneric","Mydoom","trya","BScope","EBTT","x7t89GcJVs8","Genetic","confidence","100%"],"permalink":"https://www.virustotal.com/gui/file/dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47/detection/f-dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47-1605577853","positives":62,"resource":"9fbdc5eca123e81571e8966b9b4e4a1e","response_code":1,"scan_date":"2020-11-17 01:50:53","scan_id":"dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47-1605577853","scans":{"ALYac":{"detected":true,"normalized":["DarkTequila"],"result":"Trojan.Agent.DarkTequila","update":"20201116","version":"1.1.1.5"},"APEX":{"detected":true,"normalized":["Malicious"],"result":"Malicious","update":"20201116","version":"6.98"},"AVG":{"detected":true,"normalized":[],"result":"Win32:Malware-gen","update":"20201117","version":"20.10.5736.0"},"Acronis":{"detected":true,"normalized":[],"result":"suspicious","update":"20201023","version":"1.1.1.80"},"Ad-Aware":{"detected":true,"normalized":["Graftor"],"result":"Gen:Variant.Graftor.129365","update":"20201117","version":"3.0.16.117"},"AegisLab":{"detected":true,"normalized":["DarkTequila","trya"],"result":"Trojan.Win32.DarkTequila.trya","update":"20201117","version":"4.2"},"AhnLab-V3":{"detected":true,"normalized":[],"result":"Trojan/Win32.HDC.C138160","update":"20201116","version":"3.19.1.10100"},"Alibaba":{"detected":true,"normalized":["DarkTequila"],"result":"Worm:Win32/DarkTequila.7550016f","update":"20190527","version":"0.3.0.5"},"Antiy-AVL":{"detected":true,"normalized":["SGeneric"],"result":"Trojan/Win32.SGeneric","update":"20201116","version":"3.0.0.1"},"Arcabit":{"detected":true,"normalized":["Graftor"],"result":"Trojan.Graftor.D1F955","update":"20201116","version":"1.0.0.881"},"Avast":{"detected":true,"normalized":[],"result":"Win32:Malware-gen","update":"20201117","version":"20.10.5736.0"},"Avira":{"detected":true,"normalized":["XPACK","Gen3"],"result":"TR/Crypt.XPACK.Gen3","update":"20201116","version":"8.3.3.8"},"Baidu":{"detected":false,"normalized":[],"result":null,"update":"20190318","version":"1.0.0.2"},"BitDefender":{"detected":true,"normalized":["Graftor"],"result":"Gen:Variant.Graftor.129365","update":"20201116","version":"7.2"},"BitDefenderTheta":{"detected":true,"normalized":[],"result":"AI:Packer.519AA5961F","update":"20201113","version":"7.2.37796.0"},"Bkav":{"detected":true,"normalized":["AIDetectVM","malware2"],"result":"W32.AIDetectVM.malware2","update":"20201116","version":"1.3.0.9899"},"CAT-QuickHeal":{"detected":true,"normalized":["Dynamer"],"result":"Trojan.Dynamer.8198","update":"20201116","version":"14.00"},"CMC":{"detected":false,"normalized":[],"result":null,"update":"20201116","version":"2.7.2019.1"},"ClamAV":{"detected":false,"normalized":[],"result":null,"update":"20201116","version":"0.102.3.0"},"Comodo":{"detected":true,"normalized":["EBT@611gnb"],"result":"TrojWare.Win32.Crypt.EBT@611gnb","update":"20201116","version":"32996"},"CrowdStrike":{"detected":true,"normalized":["malicious","confidence","100%"],"result":"win/malicious_confidence_100% (W)","update":"20190702","version":"1.0"},"Cybereason":{"detected":true,"normalized":["malicious"],"result":"malicious.ca123e","update":"20190616","version":"1.2.449"},"Cylance":{"detected":true,"normalized":["Unsafe"],"result":"Unsafe","update":"20201117","version":"2.3.1.101"},"Cynet":{"detected":true,"normalized":["Malicious","score"],"result":"Malicious (score: 100)","update":"20201115","version":"4.0.0.24"},"Cyren":{"detected":true,"normalized":["Eldorado"],"result":"W32/S-91f5258d!Eldorado","update":"20201116","version":"6.3.0.2"},"DrWeb":{"detected":true,"normalized":["DownLoader17"],"result":"Trojan.DownLoader17.30288","update":"20201116","version":"7.0.49.9080"},"ESET-NOD32":{"detected":true,"normalized":["Kryptik","EBTT"],"result":"a variant of Win32/Kryptik.EBTT","update":"20201117","version":"22331"},"Elastic":{"detected":true,"normalized":["malicious","high confidence"],"result":"malicious (high confidence)","update":"20201030","version":"4.0.12"},"Emsisoft":{"detected":true,"normalized":["Graftor"],"result":"Gen:Variant.Graftor.129365 (B)","update":"20201116","version":"2018.12.0.1641"},"F-Secure":{"detected":true,"normalized":["XPACK","Gen3"],"result":"Trojan.TR/Crypt.XPACK.Gen3","update":"20201116","version":"12.0.86.52"},"FireEye":{"detected":true,"normalized":[],"result":"Generic.mg.9fbdc5eca123e815","update":"20201116","version":"32.36.1.0"},"Fortinet":{"detected":true,"normalized":["Kryptik","EBTT"],"result":"W32/Kryptik.EBTT!tr","update":"20201116","version":"6.2.142.0"},"GData":{"detected":true,"normalized":["Graftor"],"result":"Gen:Variant.Graftor.129365","update":"20201117","version":"A:25.27695B:27.20909"},"Gridinsoft":{"detected":true,"normalized":["Mydoom"],"result":"Worm.Win32.Mydoom.ka!i","update":"20201116","version":"1.0.17.106"},"Ikarus":{"detected":true,"normalized":[],"result":"Trojan.Win32.Crypt","update":"20201116","version":"0.1.5.2"},"Invincea":{"detected":true,"normalized":["R + W32","Crastic"],"result":"Mal/Generic-R + W32/Crastic-A","update":"20201117","version":"1.0.2.0"},"Jiangmin":{"detected":true,"normalized":["Strictor"],"result":"Variant.Strictor.h","update":"20201116","version":"16.0.100"},"K7AntiVirus":{"detected":true,"normalized":[],"result":"Trojan ( 0004a2ea1 )","update":"20201116","version":"11.150.35741"},"K7GW":{"detected":true,"normalized":[],"result":"Trojan ( 0004a2ea1 )","update":"20201116","version":"11.150.35742"},"Kaspersky":{"detected":true,"normalized":["DarkTequila"],"result":"Trojan.Win32.DarkTequila.d","update":"20201117","version":"15.0.1.13"},"Kingsoft":{"detected":false,"normalized":[],"result":null,"update":"20201117","version":"2013.8.14.323"},"MAX":{"detected":true,"normalized":["ai score=100"],"result":"malware (ai score=100)","update":"20201117","version":"2019.9.16.1"},"Malwarebytes":{"detected":true,"normalized":[],"result":"Trojan.Downloader.FB","update":"20201117","version":"3.6.4.335"},"MaxSecure":{"detected":false,"normalized":[],"result":null,"update":"20201116","version":"1.0.0.1"},"McAfee":{"detected":true,"normalized":["GenericRXAA"],"result":"GenericRXAA-FA!9FBDC5ECA123","update":"20201116","version":"6.0.6.653"},"McAfee-GW-Edition":{"detected":true,"normalized":[],"result":"BehavesLike.Win32.Generic.cc","update":"20201116","version":"v2019.1.2+3728"},"MicroWorld-eScan":{"detected":true,"normalized":["Graftor"],"result":"Gen:Variant.Graftor.129365","update":"20201116","version":"14.0.409.0"},"Microsoft":{"detected":true,"normalized":["Crastic"],"result":"Worm:Win32/Crastic!rfn","update":"20201116","version":"1.1.17600.5"},"NANO-Antivirus":{"detected":true,"normalized":["dyfxok"],"result":"Trojan.Win32.Dwn.dyfxok","update":"20201116","version":"1.0.146.25233"},"Paloalto":{"detected":true,"normalized":[],"result":"generic.ml","update":"20201117","version":"1.0"},"Panda":{"detected":true,"normalized":["Genetic"],"result":"Trj/Genetic.gen","update":"20201116","version":"4.6.4.2"},"Qihoo-360":{"detected":true,"normalized":[],"result":"Win32/Trojan.160","update":"20201117","version":"1.0.0.1120"},"Rising":{"detected":false,"normalized":[],"result":null,"update":"20201117","version":"25.0.0.26"},"SUPERAntiSpyware":{"detected":false,"normalized":[],"result":null,"update":"20201113","version":"5.6.0.1032"},"Sangfor":{"detected":true,"normalized":[],"result":"Malware","update":"20201116","version":"1.0"},"SentinelOne":{"detected":true,"normalized":["Static AI","Suspicious PE"],"result":"Static AI - Suspicious PE","update":"20201105","version":"4.7.0.18"},"Sophos":{"detected":true,"normalized":["Crastic"],"result":"W32/Crastic-A","update":"20201117","version":"4.98.0"},"Symantec":{"detected":true,"normalized":["DarkTeq"],"result":"Backdoor.DarkTeq","update":"20201116","version":"1.13.0.0"},"TACHYON":{"detected":false,"normalized":[],"result":null,"update":"20201117","version":"2020-11-17.01"},"Tencent":{"detected":true,"normalized":["Gencirc"],"result":"Malware.Win32.Gencirc.10b3f5ed","update":"20201117","version":"1.0.0.1"},"TotalDefense":{"detected":true,"normalized":["Bancos"],"result":"Win32/Bancos_i","update":"20201117","version":"37.1.62.1"},"TrendMicro":{"detected":true,"normalized":["TSPY","DARKTEQUILA"],"result":"TSPY_DARKTEQUILA.A","update":"20201117","version":"11.0.0.1006"},"TrendMicro-HouseCall":{"detected":true,"normalized":["TSPY","DARKTEQUILA"],"result":"TSPY_DARKTEQUILA.A","update":"20201117","version":"10.0.0.1040"},"VBA32":{"detected":true,"normalized":["BScope"],"result":"BScope.Worm.Autorun","update":"20201116","version":"4.4.1"},"VIPRE":{"detected":true,"normalized":["cobra"],"result":"Trojan.Win32.Generic.pak!cobra","update":"20201117","version":"88258"},"ViRobot":{"detected":false,"normalized":[],"result":null,"update":"20201116","version":"2014.3.20.0"},"Webroot":{"detected":true,"normalized":[],"result":"W32.Trojan.Gen","update":"20201117","version":"1.0.0.403"},"Yandex":{"detected":true,"normalized":["Kryptik","x7t89GcJVs8"],"result":"Trojan.Kryptik!x7t89GcJVs8","update":"20201114","version":"5.5.2.24"},"Zillya":{"detected":true,"normalized":["Kryptik"],"result":"Trojan.Kryptik.Win32.820724","update":"20201116","version":"2.0.0.4223"},"ZoneAlarm":{"detected":true,"normalized":["DarkTequila"],"result":"Trojan.Win32.DarkTequila.d","update":"20201117","version":"1.0"},"Zoner":{"detected":false,"normalized":[],"result":null,"update":"20201116","version":"0.0.0.0"},"eGambit":{"detected":true,"normalized":["Unsafe","Score"],"result":"Unsafe.AI_Score_64%","update":"20201117","version":null}},"sha1":"7a5b7c5378e0afcc77098a87358e4f6a032d3b00","sha256":"dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47","summary":{"permalink":"https://www.virustotal.com/gui/file/dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47/detection/f-dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47-1605577853","positives":62,"scan_date":"2020-11-17 01:50:53"},"total":72,"verbose_msg":"Scan finished, information embedded"}}