From 7c5307552d7012a18eb5b34b4dd7a8fa35b83ddd Mon Sep 17 00:00:00 2001
From: Proc3ssor1 <jeanjestin@gmail.com>
Date: Tue, 23 Feb 2021 11:27:16 +0100
Subject: [PATCH] Update cuckoo
---
main.go | 72 +-
report.json | 5735 +++++++
struct.go | 4 +-
task.json | 41231 +++++++++++++++++++++++++++++++++++++++++++++++++-
4 files changed, 47032 insertions(+), 10 deletions(-)
create mode 100644 report.json
diff --git a/main.go b/main.go
index 72f362e..b64b167 100644
--- a/main.go
+++ b/main.go
@@ -10,21 +10,22 @@ import (
"mime/multipart"
"net/http"
"os"
+ "regexp"
)
var i int
func main() {
- mux := http.NewServeMux()
- os.Setenv("SHARE_TOKEN", "sharetoken")
+ // mux := http.NewServeMux()
+ // os.Setenv("SHARE_TOKEN", "sharetoken")
- helloHandler := http.HandlerFunc(hello)
- mux.Handle("/hello", validateShareToken(helloHandler))
+ // helloHandler := http.HandlerFunc(hello)
+ // mux.Handle("/hello", validateShareToken(helloHandler))
- log.Println("Listening on :8091...")
- err := http.ListenAndServe(":8091", mux)
- log.Fatal(err)
+ // log.Println("Listening on :8091...")
+ // err := http.ListenAndServe(":8091", mux)
+ // log.Fatal(err)
//taskid := sendPostRequestMultipart("http://localhost:8090/tasks/create/file", "/home/jean/Wza.txt")
sendGetSummaryReport(5)
@@ -135,8 +136,63 @@ func sendGetSummaryReport(taskid int) string {
log.Fatal(err)
}
+ type StringsResponse struct {
+ Strings []string `json:"strings"`
+ }
+
content, err := ioutil.ReadAll(resp.Body)
- fmt.Printf(string(content))
+
+ var stringsResponse StringsResponse
+ err = json.Unmarshal(content, &stringsResponse)
+ if err != nil {
+ log.Fatal(err)
+ }
+
+ var expediteur string
+ var subject string
+
+ for _, s := range stringsResponse.Strings {
+ rExp := regexp.MustCompile(`From:.*<(.*)>`)
+ rSub := regexp.MustCompile(`Subject: (.*)`)
+
+ resExp := rExp.FindStringSubmatch(s)
+ if len(resExp) != 0 {
+ expediteur = resExp[1]
+ }
+
+ resSub := rSub.FindStringSubmatch(s)
+ if len(resSub) != 0 {
+ subject = resSub[1]
+ }
+ }
+ fmt.Println(expediteur)
+ fmt.Println(subject)
+
+ type TargetResponse struct {
+ Target struct {
+ File struct {
+ Sha1 string `json:"sha1"`
+ Sha256 string `json:"sha256"`
+ Urls []string `json:"urls"`
+ Sha512 string `json:"sha512"`
+ Md5 string `json:"md5"`
+ } `json:"file"`
+ } `json:"target"`
+ }
+
+ var targetResponse TargetResponse
+ err = json.Unmarshal(content, &targetResponse)
+ if err != nil {
+ log.Fatal(err)
+ }
+
+ fmt.Println(targetResponse.Target.File.Sha1)
+
+ for _, s := range targetResponse.Target.File.Urls {
+ fmt.Println(s)
+ }
+
+ // fmt.Printf(string(content))
return string(content)
}
diff --git a/report.json b/report.json
new file mode 100644
index 0000000..b89d7f6
--- /dev/null
+++ b/report.json
@@ -0,0 +1,5735 @@
+{
+ "info": {
+ "added": 1613475151.141135,
+ "started": 1613475151.472526,
+ "duration": 21,
+ "ended": 1613475173.459486,
+ "owner": null,
+ "score": 0.6,
+ "id": 5,
+ "category": "file",
+ "git": {
+ "head": "13cbe0d9e457be3673304533043e992ead1ea9b2",
+ "fetch_head": "13cbe0d9e457be3673304533043e992ead1ea9b2"
+ },
+ "monitor": "2deb9ccd75d5a7a3fe05b2625b03a8639d6ee36b",
+ "package": "",
+ "route": "none",
+ "custom": null,
+ "machine": {
+ "status": "stopped",
+ "name": "cuckoo1",
+ "label": "win7cuckoo",
+ "manager": "VirtualBox",
+ "started_on": "2021-02-16 11:32:31",
+ "shutdown_on": "2021-02-16 11:32:53"
+ },
+ "platform": null,
+ "version": "2.0.7",
+ "options": "procmemdump=yes,route=none"
+ },
+ "procmemory": [
+ {
+ "regions": [
+ {
+ "protect": "rw",
+ "end": "0x00030000",
+ "addr": "0x00010000",
+ "state": 4096,
+ "offset": 24,
+ "type": 131072,
+ "size": 131072
+ },
+ {
+ "protect": "rw",
+ "end": "0x00032000",
+ "addr": "0x00030000",
+ "state": 4096,
+ "offset": 131120,
+ "type": 131072,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x00041000",
+ "addr": "0x00040000",
+ "state": 4096,
+ "offset": 139336,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x00054000",
+ "addr": "0x00050000",
+ "state": 4096,
+ "offset": 143456,
+ "type": 262144,
+ "size": 16384
+ },
+ {
+ "protect": "r",
+ "end": "0x00063000",
+ "addr": "0x00060000",
+ "state": 4096,
+ "offset": 159864,
+ "type": 262144,
+ "size": 12288
+ },
+ {
+ "protect": "rw",
+ "end": "0x00071000",
+ "addr": "0x00070000",
+ "state": 4096,
+ "offset": 172176,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x00081000",
+ "addr": "0x00080000",
+ "state": 4096,
+ "offset": 176296,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rwx",
+ "end": "0x00091000",
+ "addr": "0x00090000",
+ "state": 4096,
+ "offset": 180416,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rwx",
+ "end": "0x000a1000",
+ "addr": "0x000a0000",
+ "state": 4096,
+ "offset": 184536,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rwx",
+ "end": "0x000b1000",
+ "addr": "0x000b0000",
+ "state": 4096,
+ "offset": 188656,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x00141000",
+ "addr": "0x00140000",
+ "state": 4096,
+ "offset": 192776,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x01587000",
+ "addr": "0x00141000",
+ "state": 4096,
+ "offset": 196896,
+ "type": 16777216,
+ "size": 21258240
+ },
+ {
+ "protect": "r",
+ "end": "0x019a1000",
+ "addr": "0x01587000",
+ "state": 4096,
+ "offset": 21455160,
+ "type": 16777216,
+ "size": 4300800
+ },
+ {
+ "protect": "rwc",
+ "end": "0x01afe000",
+ "addr": "0x019a1000",
+ "state": 4096,
+ "offset": 25755984,
+ "type": 16777216,
+ "size": 1429504
+ },
+ {
+ "protect": "r",
+ "end": "0x01e9f000",
+ "addr": "0x01afe000",
+ "state": 4096,
+ "offset": 27185512,
+ "type": 16777216,
+ "size": 3805184
+ },
+ {
+ "protect": "rw",
+ "end": "0x01f30000",
+ "addr": "0x01f2c000",
+ "state": 4096,
+ "offset": 30990720,
+ "type": 131072,
+ "size": 16384
+ },
+ {
+ "protect": "rw",
+ "end": "0x02170000",
+ "addr": "0x0216f000",
+ "state": 4096,
+ "offset": 31007128,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x77521000",
+ "addr": "0x77520000",
+ "state": 4096,
+ "offset": 31011248,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x7761e000",
+ "addr": "0x77521000",
+ "state": 4096,
+ "offset": 31015368,
+ "type": 16777216,
+ "size": 1036288
+ },
+ {
+ "protect": "r",
+ "end": "0x7764d000",
+ "addr": "0x7761e000",
+ "state": 4096,
+ "offset": 32051680,
+ "type": 16777216,
+ "size": 192512
+ },
+ {
+ "protect": "rwc",
+ "end": "0x77657000",
+ "addr": "0x7764d000",
+ "state": 4096,
+ "offset": 32244216,
+ "type": 16777216,
+ "size": 40960
+ },
+ {
+ "protect": "rw",
+ "end": "0x77658000",
+ "addr": "0x77657000",
+ "state": 4096,
+ "offset": 32285200,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x7765b000",
+ "addr": "0x77658000",
+ "state": 4096,
+ "offset": 32289320,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "r",
+ "end": "0x776ca000",
+ "addr": "0x7765b000",
+ "state": 4096,
+ "offset": 32301632,
+ "type": 16777216,
+ "size": 454656
+ },
+ {
+ "protect": "r",
+ "end": "0x77701000",
+ "addr": "0x77700000",
+ "state": 4096,
+ "offset": 32756312,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x777e6000",
+ "addr": "0x77710000",
+ "state": 4096,
+ "offset": 32760432,
+ "type": 16777216,
+ "size": 876544
+ },
+ {
+ "protect": "rx",
+ "end": "0x777f1000",
+ "addr": "0x777f0000",
+ "state": 4096,
+ "offset": 33637000,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x77807000",
+ "addr": "0x77800000",
+ "state": 4096,
+ "offset": 33641120,
+ "type": 16777216,
+ "size": 28672
+ },
+ {
+ "protect": "rw",
+ "end": "0x77808000",
+ "addr": "0x77807000",
+ "state": 4096,
+ "offset": 33669816,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x7780a000",
+ "addr": "0x77808000",
+ "state": 4096,
+ "offset": 33673936,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x7786b000",
+ "addr": "0x77810000",
+ "state": 4096,
+ "offset": 33682152,
+ "type": 16777216,
+ "size": 372736
+ },
+ {
+ "protect": "r",
+ "end": "0x77875000",
+ "addr": "0x77870000",
+ "state": 4096,
+ "offset": 34054912,
+ "type": 16777216,
+ "size": 20480
+ },
+ {
+ "protect": "r",
+ "end": "0x7ffe1000",
+ "addr": "0x7ffe0000",
+ "state": 4096,
+ "offset": 34075416,
+ "type": 131072,
+ "size": 4096
+ }
+ ],
+ "yara": [],
+ "num": 1,
+ "file": "/home/jean/.cuckoo/storage/analyses/5/memory/2852-1.dmp",
+ "urls": [
+ "https://docs.microsoft.com/en-us/windows/desktop/wer/wer-settings",
+ "https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date",
+ "https://msit.powerbi.com/groups/8d49da43-4dea-44a3-ac7a-9a4351e92cc3/reports/ad136270-8017-4dec-a0b7-248102dd3579/ReportSection2",
+ "https://portal.office.com/"
+ ],
+ "extracted": [
+ {
+ "yara": [
+ {
+ "meta": {
+ "description": "(no description)"
+ },
+ "name": "loki",
+ "offsets": {
+ "var1": [
+ [
+ 91,
+ 0
+ ],
+ [
+ 22964266,
+ 0
+ ],
+ [
+ 23078871,
+ 0
+ ],
+ [
+ 23079025,
+ 0
+ ],
+ [
+ 23148175,
+ 0
+ ],
+ [
+ 23150376,
+ 0
+ ],
+ [
+ 23380927,
+ 0
+ ],
+ [
+ 23381060,
+ 0
+ ],
+ [
+ 23381406,
+ 0
+ ],
+ [
+ 23381484,
+ 0
+ ],
+ [
+ 23384532,
+ 0
+ ],
+ [
+ 23518731,
+ 0
+ ],
+ [
+ 23519668,
+ 0
+ ],
+ [
+ 23522789,
+ 0
+ ],
+ [
+ 23522811,
+ 0
+ ],
+ [
+ 23529820,
+ 0
+ ],
+ [
+ 23533114,
+ 0
+ ],
+ [
+ 23537053,
+ 0
+ ],
+ [
+ 23572944,
+ 0
+ ],
+ [
+ 23820720,
+ 0
+ ],
+ [
+ 23831865,
+ 0
+ ],
+ [
+ 23831889,
+ 0
+ ],
+ [
+ 23849301,
+ 0
+ ]
+ ]
+ },
+ "strings": [
+ "Y2Fubm90"
+ ]
+ }
+ ],
+ "sha1": "35864479850d3c6d4a16cc44541370f8597f24ba",
+ "name": "2852-35864479850d3c6d.exe_",
+ "type": "PE32 executable (GUI) Intel 80386, for MS Windows",
+ "sha256": "a15303d4c00d0c8c5a14787c675e9d79992fbce8535a5d3ec6763c27c0aaf99d",
+ "urls": [
+ "https://docs.microsoft.com/en-us/windows/desktop/wer/wer-settings",
+ "https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date",
+ "https://msit.powerbi.com/groups/8d49da43-4dea-44a3-ac7a-9a4351e92cc3/reports/ad136270-8017-4dec-a0b7-248102dd3579/ReportSection2",
+ "https://portal.office.com/"
+ ],
+ "crc32": "1B979CB8",
+ "path": "/home/jean/.cuckoo/storage/analyses/5/memory/2852-35864479850d3c6d.exe_",
+ "ssdeep": null,
+ "size": 30797824,
+ "sha512": "8694a054587b4dc4da74caca3a18532ee71ab04ab4d814ce3f9b86b1b8f55c88154bf5df1c53fbec8e7054aa86b379bfa4c0d63db85481a621bf91b3e82c28fa",
+ "md5": "af5df55d3533108d17fd462c1d2fce63"
+ }
+ ],
+ "pid": 2852
+ },
+ {
+ "regions": [
+ {
+ "protect": "rw",
+ "end": "0x00020000",
+ "addr": "0x00010000",
+ "state": 4096,
+ "offset": 24,
+ "type": 262144,
+ "size": 65536
+ },
+ {
+ "protect": "r",
+ "end": "0x00021000",
+ "addr": "0x00020000",
+ "state": 4096,
+ "offset": 65584,
+ "type": 262144,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x00031000",
+ "addr": "0x00030000",
+ "state": 4096,
+ "offset": 69704,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x00041000",
+ "addr": "0x00040000",
+ "state": 4096,
+ "offset": 73824,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x00054000",
+ "addr": "0x00050000",
+ "state": 4096,
+ "offset": 77944,
+ "type": 262144,
+ "size": 16384
+ },
+ {
+ "protect": "r",
+ "end": "0x00063000",
+ "addr": "0x00060000",
+ "state": 4096,
+ "offset": 94352,
+ "type": 262144,
+ "size": 12288
+ },
+ {
+ "protect": "rw",
+ "end": "0x00071000",
+ "addr": "0x00070000",
+ "state": 4096,
+ "offset": 106664,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x00081000",
+ "addr": "0x00080000",
+ "state": 4096,
+ "offset": 110784,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rwx",
+ "end": "0x00091000",
+ "addr": "0x00090000",
+ "state": 4096,
+ "offset": 114904,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rwx",
+ "end": "0x000a1000",
+ "addr": "0x000a0000",
+ "state": 4096,
+ "offset": 119024,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rwx",
+ "end": "0x000b1000",
+ "addr": "0x000b0000",
+ "state": 4096,
+ "offset": 123144,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x00127000",
+ "addr": "0x000c0000",
+ "state": 4096,
+ "offset": 127264,
+ "type": 262144,
+ "size": 421888
+ },
+ {
+ "protect": "rw",
+ "end": "0x00131000",
+ "addr": "0x00130000",
+ "state": 4096,
+ "offset": 549176,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x00141000",
+ "addr": "0x00140000",
+ "state": 4096,
+ "offset": 553296,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x01587000",
+ "addr": "0x00141000",
+ "state": 4096,
+ "offset": 557416,
+ "type": 16777216,
+ "size": 21258240
+ },
+ {
+ "protect": "r",
+ "end": "0x019a1000",
+ "addr": "0x01587000",
+ "state": 4096,
+ "offset": 21815680,
+ "type": 16777216,
+ "size": 4300800
+ },
+ {
+ "protect": "rwc",
+ "end": "0x019a4000",
+ "addr": "0x019a1000",
+ "state": 4096,
+ "offset": 26116504,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "rw",
+ "end": "0x019a5000",
+ "addr": "0x019a4000",
+ "state": 4096,
+ "offset": 26128816,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x019cf000",
+ "addr": "0x019a5000",
+ "state": 4096,
+ "offset": 26132936,
+ "type": 16777216,
+ "size": 172032
+ },
+ {
+ "protect": "rw",
+ "end": "0x019d0000",
+ "addr": "0x019cf000",
+ "state": 4096,
+ "offset": 26304992,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x019d7000",
+ "addr": "0x019d0000",
+ "state": 4096,
+ "offset": 26309112,
+ "type": 16777216,
+ "size": 28672
+ },
+ {
+ "protect": "rw",
+ "end": "0x019d8000",
+ "addr": "0x019d7000",
+ "state": 4096,
+ "offset": 26337808,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x019da000",
+ "addr": "0x019d8000",
+ "state": 4096,
+ "offset": 26341928,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "rw",
+ "end": "0x019db000",
+ "addr": "0x019da000",
+ "state": 4096,
+ "offset": 26350144,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x019eb000",
+ "addr": "0x019db000",
+ "state": 4096,
+ "offset": 26354264,
+ "type": 16777216,
+ "size": 65536
+ },
+ {
+ "protect": "rw",
+ "end": "0x019ec000",
+ "addr": "0x019eb000",
+ "state": 4096,
+ "offset": 26419824,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x019ed000",
+ "addr": "0x019ec000",
+ "state": 4096,
+ "offset": 26423944,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x019ee000",
+ "addr": "0x019ed000",
+ "state": 4096,
+ "offset": 26428064,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x01ac3000",
+ "addr": "0x019ee000",
+ "state": 4096,
+ "offset": 26432184,
+ "type": 16777216,
+ "size": 872448
+ },
+ {
+ "protect": "rw",
+ "end": "0x01afe000",
+ "addr": "0x01ac3000",
+ "state": 4096,
+ "offset": 27304656,
+ "type": 16777216,
+ "size": 241664
+ },
+ {
+ "protect": "r",
+ "end": "0x01e9f000",
+ "addr": "0x01afe000",
+ "state": 4096,
+ "offset": 27546344,
+ "type": 16777216,
+ "size": 3805184
+ },
+ {
+ "protect": "rx",
+ "end": "0x01ea1000",
+ "addr": "0x01ea0000",
+ "state": 4096,
+ "offset": 31351552,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x01eb7000",
+ "addr": "0x01eb0000",
+ "state": 4096,
+ "offset": 31355672,
+ "type": 262144,
+ "size": 28672
+ },
+ {
+ "protect": "rw",
+ "end": "0x01ec2000",
+ "addr": "0x01ec0000",
+ "state": 4096,
+ "offset": 31384368,
+ "type": 262144,
+ "size": 8192
+ },
+ {
+ "protect": "rw",
+ "end": "0x01ed1000",
+ "addr": "0x01ed0000",
+ "state": 4096,
+ "offset": 31392584,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x01ee1000",
+ "addr": "0x01ee0000",
+ "state": 4096,
+ "offset": 31396704,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x01f30000",
+ "addr": "0x01f2c000",
+ "state": 4096,
+ "offset": 31400824,
+ "type": 131072,
+ "size": 16384
+ },
+ {
+ "protect": "rw",
+ "end": "0x01f31000",
+ "addr": "0x01f30000",
+ "state": 4096,
+ "offset": 31417232,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x01f41000",
+ "addr": "0x01f40000",
+ "state": 4096,
+ "offset": 31421352,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x01f54000",
+ "addr": "0x01f50000",
+ "state": 4096,
+ "offset": 31425472,
+ "type": 131072,
+ "size": 16384
+ },
+ {
+ "protect": "rw",
+ "end": "0x01f64000",
+ "addr": "0x01f60000",
+ "state": 4096,
+ "offset": 31441880,
+ "type": 131072,
+ "size": 16384
+ },
+ {
+ "protect": "rw",
+ "end": "0x01f80000",
+ "addr": "0x01f70000",
+ "state": 4096,
+ "offset": 31458288,
+ "type": 131072,
+ "size": 65536
+ },
+ {
+ "protect": "rwx",
+ "end": "0x01f88000",
+ "addr": "0x01f80000",
+ "state": 4096,
+ "offset": 31523848,
+ "type": 131072,
+ "size": 32768
+ },
+ {
+ "protect": "rw",
+ "end": "0x01f91000",
+ "addr": "0x01f90000",
+ "state": 4096,
+ "offset": 31556640,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x01fa1000",
+ "addr": "0x01fa0000",
+ "state": 4096,
+ "offset": 31560760,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rwx",
+ "end": "0x01fb8000",
+ "addr": "0x01fb0000",
+ "state": 4096,
+ "offset": 31564880,
+ "type": 131072,
+ "size": 32768
+ },
+ {
+ "protect": "rw",
+ "end": "0x01fc1000",
+ "addr": "0x01fc0000",
+ "state": 4096,
+ "offset": 31597672,
+ "type": 131072,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x01ffb000",
+ "addr": "0x01ff0000",
+ "state": 4096,
+ "offset": 31601792,
+ "type": 131072,
+ "size": 45056
+ },
+ {
+ "protect": "rw",
+ "end": "0x02170000",
+ "addr": "0x0215f000",
+ "state": 4096,
+ "offset": 31646872,
+ "type": 131072,
+ "size": 69632
+ },
+ {
+ "protect": "r",
+ "end": "0x02175000",
+ "addr": "0x02170000",
+ "state": 4096,
+ "offset": 31716528,
+ "type": 262144,
+ "size": 20480
+ },
+ {
+ "protect": "r",
+ "end": "0x022f3000",
+ "addr": "0x022f0000",
+ "state": 4096,
+ "offset": 31737032,
+ "type": 262144,
+ "size": 12288
+ },
+ {
+ "protect": "rw",
+ "end": "0x02326000",
+ "addr": "0x02320000",
+ "state": 4096,
+ "offset": 31749344,
+ "type": 131072,
+ "size": 24576
+ },
+ {
+ "protect": "r",
+ "end": "0x02521000",
+ "addr": "0x023a0000",
+ "state": 4096,
+ "offset": 31773944,
+ "type": 262144,
+ "size": 1576960
+ },
+ {
+ "protect": "rw",
+ "end": "0x0260f000",
+ "addr": "0x02550000",
+ "state": 4096,
+ "offset": 33350928,
+ "type": 131072,
+ "size": 782336
+ },
+ {
+ "protect": "r",
+ "end": "0x0269e000",
+ "addr": "0x02650000",
+ "state": 4096,
+ "offset": 34133288,
+ "type": 262144,
+ "size": 319488
+ },
+ {
+ "protect": "r",
+ "end": "0x03d1f000",
+ "addr": "0x03a50000",
+ "state": 4096,
+ "offset": 34452800,
+ "type": 262144,
+ "size": 2945024
+ },
+ {
+ "protect": "r",
+ "end": "0x04111000",
+ "addr": "0x03d20000",
+ "state": 4096,
+ "offset": 37397848,
+ "type": 262144,
+ "size": 4132864
+ },
+ {
+ "protect": "rw",
+ "end": "0x04132000",
+ "addr": "0x04120000",
+ "state": 4096,
+ "offset": 41530736,
+ "type": 131072,
+ "size": 73728
+ },
+ {
+ "protect": "r",
+ "end": "0x6e3c1000",
+ "addr": "0x6e3c0000",
+ "state": 4096,
+ "offset": 41604488,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x6e491000",
+ "addr": "0x6e3c1000",
+ "state": 4096,
+ "offset": 41608608,
+ "type": 16777216,
+ "size": 851968
+ },
+ {
+ "protect": "rw",
+ "end": "0x6e493000",
+ "addr": "0x6e491000",
+ "state": 4096,
+ "offset": 42460600,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x6e49c000",
+ "addr": "0x6e493000",
+ "state": 4096,
+ "offset": 42468816,
+ "type": 16777216,
+ "size": 36864
+ },
+ {
+ "protect": "r",
+ "end": "0x6e4a1000",
+ "addr": "0x6e4a0000",
+ "state": 4096,
+ "offset": 42505704,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x6e4da000",
+ "addr": "0x6e4a1000",
+ "state": 4096,
+ "offset": 42509824,
+ "type": 16777216,
+ "size": 233472
+ },
+ {
+ "protect": "rwc",
+ "end": "0x6e4e1000",
+ "addr": "0x6e4da000",
+ "state": 4096,
+ "offset": 42743320,
+ "type": 16777216,
+ "size": 28672
+ },
+ {
+ "protect": "rw",
+ "end": "0x6e4e8000",
+ "addr": "0x6e4e1000",
+ "state": 4096,
+ "offset": 42772016,
+ "type": 16777216,
+ "size": 28672
+ },
+ {
+ "protect": "rwc",
+ "end": "0x6e4ea000",
+ "addr": "0x6e4e8000",
+ "state": 4096,
+ "offset": 42800712,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "rw",
+ "end": "0x6e4eb000",
+ "addr": "0x6e4ea000",
+ "state": 4096,
+ "offset": 42808928,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x6e4ff000",
+ "addr": "0x6e4eb000",
+ "state": 4096,
+ "offset": 42813048,
+ "type": 16777216,
+ "size": 81920
+ },
+ {
+ "protect": "rw",
+ "end": "0x6e500000",
+ "addr": "0x6e4ff000",
+ "state": 4096,
+ "offset": 42894992,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x6e537000",
+ "addr": "0x6e500000",
+ "state": 4096,
+ "offset": 42899112,
+ "type": 16777216,
+ "size": 225280
+ },
+ {
+ "protect": "rw",
+ "end": "0x6e538000",
+ "addr": "0x6e537000",
+ "state": 4096,
+ "offset": 43124416,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x6e53b000",
+ "addr": "0x6e538000",
+ "state": 4096,
+ "offset": 43128536,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "rw",
+ "end": "0x6e54c000",
+ "addr": "0x6e53b000",
+ "state": 4096,
+ "offset": 43140848,
+ "type": 16777216,
+ "size": 69632
+ },
+ {
+ "protect": "rwc",
+ "end": "0x6e55b000",
+ "addr": "0x6e54c000",
+ "state": 4096,
+ "offset": 43210504,
+ "type": 16777216,
+ "size": 61440
+ },
+ {
+ "protect": "rw",
+ "end": "0x6e5a0000",
+ "addr": "0x6e55b000",
+ "state": 4096,
+ "offset": 43271968,
+ "type": 16777216,
+ "size": 282624
+ },
+ {
+ "protect": "rwc",
+ "end": "0x6e682000",
+ "addr": "0x6e5a0000",
+ "state": 4096,
+ "offset": 43554616,
+ "type": 16777216,
+ "size": 925696
+ },
+ {
+ "protect": "rw",
+ "end": "0x6e684000",
+ "addr": "0x6e682000",
+ "state": 4096,
+ "offset": 44480336,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "rwc",
+ "end": "0x6e692000",
+ "addr": "0x6e684000",
+ "state": 4096,
+ "offset": 44488552,
+ "type": 16777216,
+ "size": 57344
+ },
+ {
+ "protect": "rw",
+ "end": "0x6e694000",
+ "addr": "0x6e692000",
+ "state": 4096,
+ "offset": 44545920,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x6e69c000",
+ "addr": "0x6e694000",
+ "state": 4096,
+ "offset": 44554136,
+ "type": 16777216,
+ "size": 32768
+ },
+ {
+ "protect": "rw",
+ "end": "0x6e69d000",
+ "addr": "0x6e69c000",
+ "state": 4096,
+ "offset": 44586928,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x6e69f000",
+ "addr": "0x6e69d000",
+ "state": 4096,
+ "offset": 44591048,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x6e6a5000",
+ "addr": "0x6e69f000",
+ "state": 4096,
+ "offset": 44599264,
+ "type": 16777216,
+ "size": 24576
+ },
+ {
+ "protect": "rx",
+ "end": "0x6f710000",
+ "addr": "0x6f700000",
+ "state": 4096,
+ "offset": 44623864,
+ "type": 131072,
+ "size": 65536
+ },
+ {
+ "protect": "r",
+ "end": "0x71d91000",
+ "addr": "0x71d90000",
+ "state": 4096,
+ "offset": 44689424,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x71dc4000",
+ "addr": "0x71d91000",
+ "state": 4096,
+ "offset": 44693544,
+ "type": 16777216,
+ "size": 208896
+ },
+ {
+ "protect": "rw",
+ "end": "0x71dc6000",
+ "addr": "0x71dc4000",
+ "state": 4096,
+ "offset": 44902464,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x71dc9000",
+ "addr": "0x71dc6000",
+ "state": 4096,
+ "offset": 44910680,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "r",
+ "end": "0x71e01000",
+ "addr": "0x71e00000",
+ "state": 4096,
+ "offset": 44922992,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x71f4f000",
+ "addr": "0x71e01000",
+ "state": 4096,
+ "offset": 44927112,
+ "type": 16777216,
+ "size": 1368064
+ },
+ {
+ "protect": "r",
+ "end": "0x71fcd000",
+ "addr": "0x71f4f000",
+ "state": 4096,
+ "offset": 46295200,
+ "type": 16777216,
+ "size": 516096
+ },
+ {
+ "protect": "rw",
+ "end": "0x71fd0000",
+ "addr": "0x71fcd000",
+ "state": 4096,
+ "offset": 46811320,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "rwc",
+ "end": "0x71fd3000",
+ "addr": "0x71fd0000",
+ "state": 4096,
+ "offset": 46823632,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "rw",
+ "end": "0x71fd9000",
+ "addr": "0x71fd3000",
+ "state": 4096,
+ "offset": 46835944,
+ "type": 16777216,
+ "size": 24576
+ },
+ {
+ "protect": "r",
+ "end": "0x71ff2000",
+ "addr": "0x71fd9000",
+ "state": 4096,
+ "offset": 46860544,
+ "type": 16777216,
+ "size": 102400
+ },
+ {
+ "protect": "r",
+ "end": "0x72821000",
+ "addr": "0x72820000",
+ "state": 4096,
+ "offset": 46962968,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72824000",
+ "addr": "0x72821000",
+ "state": 4096,
+ "offset": 46967088,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "r",
+ "end": "0x72825000",
+ "addr": "0x72824000",
+ "state": 4096,
+ "offset": 46979400,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72831000",
+ "addr": "0x72830000",
+ "state": 4096,
+ "offset": 46983520,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72832000",
+ "addr": "0x72831000",
+ "state": 4096,
+ "offset": 46987640,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72833000",
+ "addr": "0x72832000",
+ "state": 4096,
+ "offset": 46991760,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72841000",
+ "addr": "0x72840000",
+ "state": 4096,
+ "offset": 46995880,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72842000",
+ "addr": "0x72841000",
+ "state": 4096,
+ "offset": 47000000,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72843000",
+ "addr": "0x72842000",
+ "state": 4096,
+ "offset": 47004120,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72851000",
+ "addr": "0x72850000",
+ "state": 4096,
+ "offset": 47008240,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72852000",
+ "addr": "0x72851000",
+ "state": 4096,
+ "offset": 47012360,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72853000",
+ "addr": "0x72852000",
+ "state": 4096,
+ "offset": 47016480,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72861000",
+ "addr": "0x72860000",
+ "state": 4096,
+ "offset": 47020600,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72862000",
+ "addr": "0x72861000",
+ "state": 4096,
+ "offset": 47024720,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72863000",
+ "addr": "0x72862000",
+ "state": 4096,
+ "offset": 47028840,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72891000",
+ "addr": "0x72890000",
+ "state": 4096,
+ "offset": 47032960,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x7289c000",
+ "addr": "0x72891000",
+ "state": 4096,
+ "offset": 47037080,
+ "type": 16777216,
+ "size": 45056
+ },
+ {
+ "protect": "rw",
+ "end": "0x7289d000",
+ "addr": "0x7289c000",
+ "state": 4096,
+ "offset": 47082160,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x7289f000",
+ "addr": "0x7289d000",
+ "state": 4096,
+ "offset": 47086280,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x728a1000",
+ "addr": "0x728a0000",
+ "state": 4096,
+ "offset": 47094496,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x728c1000",
+ "addr": "0x728a1000",
+ "state": 4096,
+ "offset": 47098616,
+ "type": 16777216,
+ "size": 131072
+ },
+ {
+ "protect": "rw",
+ "end": "0x728c2000",
+ "addr": "0x728c1000",
+ "state": 4096,
+ "offset": 47229712,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x728c8000",
+ "addr": "0x728c2000",
+ "state": 4096,
+ "offset": 47233832,
+ "type": 16777216,
+ "size": 24576
+ },
+ {
+ "protect": "r",
+ "end": "0x728d1000",
+ "addr": "0x728d0000",
+ "state": 4096,
+ "offset": 47258432,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x728e9000",
+ "addr": "0x728d1000",
+ "state": 4096,
+ "offset": 47262552,
+ "type": 16777216,
+ "size": 98304
+ },
+ {
+ "protect": "rw",
+ "end": "0x728ea000",
+ "addr": "0x728e9000",
+ "state": 4096,
+ "offset": 47360880,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x728ec000",
+ "addr": "0x728ea000",
+ "state": 4096,
+ "offset": 47365000,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x729d1000",
+ "addr": "0x729d0000",
+ "state": 4096,
+ "offset": 47373216,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x729d4000",
+ "addr": "0x729d1000",
+ "state": 4096,
+ "offset": 47377336,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "r",
+ "end": "0x729d5000",
+ "addr": "0x729d4000",
+ "state": 4096,
+ "offset": 47389648,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x729e1000",
+ "addr": "0x729e0000",
+ "state": 4096,
+ "offset": 47393768,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x729e2000",
+ "addr": "0x729e1000",
+ "state": 4096,
+ "offset": 47397888,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x729e3000",
+ "addr": "0x729e2000",
+ "state": 4096,
+ "offset": 47402008,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x729f1000",
+ "addr": "0x729f0000",
+ "state": 4096,
+ "offset": 47406128,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72a54000",
+ "addr": "0x729f1000",
+ "state": 4096,
+ "offset": 47410248,
+ "type": 16777216,
+ "size": 405504
+ },
+ {
+ "protect": "rw",
+ "end": "0x72a57000",
+ "addr": "0x72a54000",
+ "state": 4096,
+ "offset": 47815776,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "r",
+ "end": "0x72a59000",
+ "addr": "0x72a57000",
+ "state": 4096,
+ "offset": 47828088,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "rwc",
+ "end": "0x72a5a000",
+ "addr": "0x72a59000",
+ "state": 4096,
+ "offset": 47836304,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72a5f000",
+ "addr": "0x72a5a000",
+ "state": 4096,
+ "offset": 47840424,
+ "type": 16777216,
+ "size": 20480
+ },
+ {
+ "protect": "r",
+ "end": "0x72a61000",
+ "addr": "0x72a60000",
+ "state": 4096,
+ "offset": 47860928,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72a63000",
+ "addr": "0x72a61000",
+ "state": 4096,
+ "offset": 47865048,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x72a64000",
+ "addr": "0x72a63000",
+ "state": 4096,
+ "offset": 47873264,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72a71000",
+ "addr": "0x72a70000",
+ "state": 4096,
+ "offset": 47877384,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72a73000",
+ "addr": "0x72a71000",
+ "state": 4096,
+ "offset": 47881504,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x72a74000",
+ "addr": "0x72a73000",
+ "state": 4096,
+ "offset": 47889720,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72a81000",
+ "addr": "0x72a80000",
+ "state": 4096,
+ "offset": 47893840,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72a83000",
+ "addr": "0x72a81000",
+ "state": 4096,
+ "offset": 47897960,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x72a84000",
+ "addr": "0x72a83000",
+ "state": 4096,
+ "offset": 47906176,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72a91000",
+ "addr": "0x72a90000",
+ "state": 4096,
+ "offset": 47910296,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72a92000",
+ "addr": "0x72a91000",
+ "state": 4096,
+ "offset": 47914416,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72a93000",
+ "addr": "0x72a92000",
+ "state": 4096,
+ "offset": 47918536,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72aa1000",
+ "addr": "0x72aa0000",
+ "state": 4096,
+ "offset": 47922656,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72bf4000",
+ "addr": "0x72aa1000",
+ "state": 4096,
+ "offset": 47926776,
+ "type": 16777216,
+ "size": 1388544
+ },
+ {
+ "protect": "r",
+ "end": "0x72c5a000",
+ "addr": "0x72bf4000",
+ "state": 4096,
+ "offset": 49315344,
+ "type": 16777216,
+ "size": 417792
+ },
+ {
+ "protect": "rw",
+ "end": "0x72c5c000",
+ "addr": "0x72c5a000",
+ "state": 4096,
+ "offset": 49733160,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "rwc",
+ "end": "0x72c68000",
+ "addr": "0x72c5c000",
+ "state": 4096,
+ "offset": 49741376,
+ "type": 16777216,
+ "size": 49152
+ },
+ {
+ "protect": "rw",
+ "end": "0x72c6c000",
+ "addr": "0x72c68000",
+ "state": 4096,
+ "offset": 49790552,
+ "type": 16777216,
+ "size": 16384
+ },
+ {
+ "protect": "r",
+ "end": "0x72c6e000",
+ "addr": "0x72c6c000",
+ "state": 4096,
+ "offset": 49806960,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "rwc",
+ "end": "0x72c6f000",
+ "addr": "0x72c6e000",
+ "state": 4096,
+ "offset": 49815176,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x72c70000",
+ "addr": "0x72c6f000",
+ "state": 4096,
+ "offset": 49819296,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72c8a000",
+ "addr": "0x72c70000",
+ "state": 4096,
+ "offset": 49823416,
+ "type": 16777216,
+ "size": 106496
+ },
+ {
+ "protect": "r",
+ "end": "0x72c91000",
+ "addr": "0x72c90000",
+ "state": 4096,
+ "offset": 49929936,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72c94000",
+ "addr": "0x72c91000",
+ "state": 4096,
+ "offset": 49934056,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "rw",
+ "end": "0x72c95000",
+ "addr": "0x72c94000",
+ "state": 4096,
+ "offset": 49946368,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72c97000",
+ "addr": "0x72c95000",
+ "state": 4096,
+ "offset": 49950488,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x72ca1000",
+ "addr": "0x72ca0000",
+ "state": 4096,
+ "offset": 49958704,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72ca2000",
+ "addr": "0x72ca1000",
+ "state": 4096,
+ "offset": 49962824,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72ca3000",
+ "addr": "0x72ca2000",
+ "state": 4096,
+ "offset": 49966944,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72cb1000",
+ "addr": "0x72cb0000",
+ "state": 4096,
+ "offset": 49971064,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72cb2000",
+ "addr": "0x72cb1000",
+ "state": 4096,
+ "offset": 49975184,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72cb3000",
+ "addr": "0x72cb2000",
+ "state": 4096,
+ "offset": 49979304,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72cc1000",
+ "addr": "0x72cc0000",
+ "state": 4096,
+ "offset": 49983424,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72cc2000",
+ "addr": "0x72cc1000",
+ "state": 4096,
+ "offset": 49987544,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72cc3000",
+ "addr": "0x72cc2000",
+ "state": 4096,
+ "offset": 49991664,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72cd1000",
+ "addr": "0x72cd0000",
+ "state": 4096,
+ "offset": 49995784,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72cd2000",
+ "addr": "0x72cd1000",
+ "state": 4096,
+ "offset": 49999904,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72cd3000",
+ "addr": "0x72cd2000",
+ "state": 4096,
+ "offset": 50004024,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72de1000",
+ "addr": "0x72de0000",
+ "state": 4096,
+ "offset": 50008144,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72dee000",
+ "addr": "0x72de1000",
+ "state": 4096,
+ "offset": 50012264,
+ "type": 16777216,
+ "size": 53248
+ },
+ {
+ "protect": "rw",
+ "end": "0x72df3000",
+ "addr": "0x72dee000",
+ "state": 4096,
+ "offset": 50065536,
+ "type": 16777216,
+ "size": 20480
+ },
+ {
+ "protect": "rwc",
+ "end": "0x72df7000",
+ "addr": "0x72df3000",
+ "state": 4096,
+ "offset": 50086040,
+ "type": 16777216,
+ "size": 16384
+ },
+ {
+ "protect": "r",
+ "end": "0x72df9000",
+ "addr": "0x72df7000",
+ "state": 4096,
+ "offset": 50102448,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x72e31000",
+ "addr": "0x72e30000",
+ "state": 4096,
+ "offset": 50110664,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72e32000",
+ "addr": "0x72e31000",
+ "state": 4096,
+ "offset": 50114784,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72e33000",
+ "addr": "0x72e32000",
+ "state": 4096,
+ "offset": 50118904,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72e41000",
+ "addr": "0x72e40000",
+ "state": 4096,
+ "offset": 50123024,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72e4e000",
+ "addr": "0x72e41000",
+ "state": 4096,
+ "offset": 50127144,
+ "type": 16777216,
+ "size": 53248
+ },
+ {
+ "protect": "rw",
+ "end": "0x72e4f000",
+ "addr": "0x72e4e000",
+ "state": 4096,
+ "offset": 50180416,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72e51000",
+ "addr": "0x72e4f000",
+ "state": 4096,
+ "offset": 50184536,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x72e61000",
+ "addr": "0x72e60000",
+ "state": 4096,
+ "offset": 50192752,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72e63000",
+ "addr": "0x72e61000",
+ "state": 4096,
+ "offset": 50196872,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x72e64000",
+ "addr": "0x72e63000",
+ "state": 4096,
+ "offset": 50205088,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72e71000",
+ "addr": "0x72e70000",
+ "state": 4096,
+ "offset": 50209208,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72e7f000",
+ "addr": "0x72e71000",
+ "state": 4096,
+ "offset": 50213328,
+ "type": 16777216,
+ "size": 57344
+ },
+ {
+ "protect": "rw",
+ "end": "0x72e80000",
+ "addr": "0x72e7f000",
+ "state": 4096,
+ "offset": 50270696,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72e83000",
+ "addr": "0x72e80000",
+ "state": 4096,
+ "offset": 50274816,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "r",
+ "end": "0x72e91000",
+ "addr": "0x72e90000",
+ "state": 4096,
+ "offset": 50287128,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72ea3000",
+ "addr": "0x72e91000",
+ "state": 4096,
+ "offset": 50291248,
+ "type": 16777216,
+ "size": 73728
+ },
+ {
+ "protect": "r",
+ "end": "0x72ea9000",
+ "addr": "0x72ea3000",
+ "state": 4096,
+ "offset": 50365000,
+ "type": 16777216,
+ "size": 24576
+ },
+ {
+ "protect": "rw",
+ "end": "0x72eaa000",
+ "addr": "0x72ea9000",
+ "state": 4096,
+ "offset": 50389600,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72ead000",
+ "addr": "0x72eaa000",
+ "state": 4096,
+ "offset": 50393720,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "r",
+ "end": "0x72eb1000",
+ "addr": "0x72eb0000",
+ "state": 4096,
+ "offset": 50406032,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x72eeb000",
+ "addr": "0x72eb1000",
+ "state": 4096,
+ "offset": 50410152,
+ "type": 16777216,
+ "size": 237568
+ },
+ {
+ "protect": "rw",
+ "end": "0x72eec000",
+ "addr": "0x72eeb000",
+ "state": 4096,
+ "offset": 50647744,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x72eed000",
+ "addr": "0x72eec000",
+ "state": 4096,
+ "offset": 50651864,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x72ef2000",
+ "addr": "0x72eed000",
+ "state": 4096,
+ "offset": 50655984,
+ "type": 16777216,
+ "size": 20480
+ },
+ {
+ "protect": "r",
+ "end": "0x730a1000",
+ "addr": "0x730a0000",
+ "state": 4096,
+ "offset": 50676488,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x730b4000",
+ "addr": "0x730a1000",
+ "state": 4096,
+ "offset": 50680608,
+ "type": 16777216,
+ "size": 77824
+ },
+ {
+ "protect": "rw",
+ "end": "0x730b5000",
+ "addr": "0x730b4000",
+ "state": 4096,
+ "offset": 50758456,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x730b7000",
+ "addr": "0x730b5000",
+ "state": 4096,
+ "offset": 50762576,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x730c1000",
+ "addr": "0x730c0000",
+ "state": 4096,
+ "offset": 50770792,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x730cc000",
+ "addr": "0x730c1000",
+ "state": 4096,
+ "offset": 50774912,
+ "type": 16777216,
+ "size": 45056
+ },
+ {
+ "protect": "rw",
+ "end": "0x730cd000",
+ "addr": "0x730cc000",
+ "state": 4096,
+ "offset": 50819992,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x730cf000",
+ "addr": "0x730cd000",
+ "state": 4096,
+ "offset": 50824112,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x73331000",
+ "addr": "0x73330000",
+ "state": 4096,
+ "offset": 50832328,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x7349d000",
+ "addr": "0x73331000",
+ "state": 4096,
+ "offset": 50836448,
+ "type": 16777216,
+ "size": 1490944
+ },
+ {
+ "protect": "rw",
+ "end": "0x7349e000",
+ "addr": "0x7349d000",
+ "state": 4096,
+ "offset": 52327416,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x734a1000",
+ "addr": "0x7349e000",
+ "state": 4096,
+ "offset": 52331536,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "rw",
+ "end": "0x734a2000",
+ "addr": "0x734a1000",
+ "state": 4096,
+ "offset": 52343848,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x734a3000",
+ "addr": "0x734a2000",
+ "state": 4096,
+ "offset": 52347968,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x734a5000",
+ "addr": "0x734a3000",
+ "state": 4096,
+ "offset": 52352088,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "rwc",
+ "end": "0x734a6000",
+ "addr": "0x734a5000",
+ "state": 4096,
+ "offset": 52360304,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x734c1000",
+ "addr": "0x734a6000",
+ "state": 4096,
+ "offset": 52364424,
+ "type": 16777216,
+ "size": 110592
+ },
+ {
+ "protect": "r",
+ "end": "0x738e1000",
+ "addr": "0x738e0000",
+ "state": 4096,
+ "offset": 52475040,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x738e2000",
+ "addr": "0x738e1000",
+ "state": 4096,
+ "offset": 52479160,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x738e3000",
+ "addr": "0x738e2000",
+ "state": 4096,
+ "offset": 52483280,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x73951000",
+ "addr": "0x73950000",
+ "state": 4096,
+ "offset": 52487400,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x73956000",
+ "addr": "0x73951000",
+ "state": 4096,
+ "offset": 52491520,
+ "type": 16777216,
+ "size": 20480
+ },
+ {
+ "protect": "rw",
+ "end": "0x73957000",
+ "addr": "0x73956000",
+ "state": 4096,
+ "offset": 52512024,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x73959000",
+ "addr": "0x73957000",
+ "state": 4096,
+ "offset": 52516144,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x73971000",
+ "addr": "0x73970000",
+ "state": 4096,
+ "offset": 52524360,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x73974000",
+ "addr": "0x73971000",
+ "state": 4096,
+ "offset": 52528480,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "rw",
+ "end": "0x73975000",
+ "addr": "0x73974000",
+ "state": 4096,
+ "offset": 52540792,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x73978000",
+ "addr": "0x73975000",
+ "state": 4096,
+ "offset": 52544912,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "r",
+ "end": "0x73981000",
+ "addr": "0x73980000",
+ "state": 4096,
+ "offset": 52557224,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x739ce000",
+ "addr": "0x73981000",
+ "state": 4096,
+ "offset": 52561344,
+ "type": 16777216,
+ "size": 315392
+ },
+ {
+ "protect": "rw",
+ "end": "0x739cf000",
+ "addr": "0x739ce000",
+ "state": 4096,
+ "offset": 52876760,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x739d2000",
+ "addr": "0x739cf000",
+ "state": 4096,
+ "offset": 52880880,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "rw",
+ "end": "0x739d3000",
+ "addr": "0x739d2000",
+ "state": 4096,
+ "offset": 52893192,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x739dc000",
+ "addr": "0x739d3000",
+ "state": 4096,
+ "offset": 52897312,
+ "type": 16777216,
+ "size": 36864
+ },
+ {
+ "protect": "r",
+ "end": "0x739e1000",
+ "addr": "0x739e0000",
+ "state": 4096,
+ "offset": 52934200,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x73a19000",
+ "addr": "0x739e1000",
+ "state": 4096,
+ "offset": 52938320,
+ "type": 16777216,
+ "size": 229376
+ },
+ {
+ "protect": "rw",
+ "end": "0x73a1b000",
+ "addr": "0x73a19000",
+ "state": 4096,
+ "offset": 53167720,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x73a1f000",
+ "addr": "0x73a1b000",
+ "state": 4096,
+ "offset": 53175936,
+ "type": 16777216,
+ "size": 16384
+ },
+ {
+ "protect": "r",
+ "end": "0x74f91000",
+ "addr": "0x74f90000",
+ "state": 4096,
+ "offset": 53192344,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x74f99000",
+ "addr": "0x74f91000",
+ "state": 4096,
+ "offset": 53196464,
+ "type": 16777216,
+ "size": 32768
+ },
+ {
+ "protect": "rw",
+ "end": "0x74f9a000",
+ "addr": "0x74f99000",
+ "state": 4096,
+ "offset": 53229256,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x74f9c000",
+ "addr": "0x74f9a000",
+ "state": 4096,
+ "offset": 53233376,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x74fa1000",
+ "addr": "0x74fa0000",
+ "state": 4096,
+ "offset": 53241592,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x74fc6000",
+ "addr": "0x74fb0000",
+ "state": 4096,
+ "offset": 53245712,
+ "type": 16777216,
+ "size": 90112
+ },
+ {
+ "protect": "rw",
+ "end": "0x74fd1000",
+ "addr": "0x74fd0000",
+ "state": 4096,
+ "offset": 53335848,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x74fe1000",
+ "addr": "0x74fe0000",
+ "state": 4096,
+ "offset": 53339968,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x74ff2000",
+ "addr": "0x74ff0000",
+ "state": 4096,
+ "offset": 53344088,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x751e1000",
+ "addr": "0x751e0000",
+ "state": 4096,
+ "offset": 53352304,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x75287000",
+ "addr": "0x751f0000",
+ "state": 4096,
+ "offset": 53356424,
+ "type": 16777216,
+ "size": 618496
+ },
+ {
+ "protect": "rx",
+ "end": "0x75293000",
+ "addr": "0x75290000",
+ "state": 4096,
+ "offset": 53974944,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "rw",
+ "end": "0x752a1000",
+ "addr": "0x752a0000",
+ "state": 4096,
+ "offset": 53987256,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x752b4000",
+ "addr": "0x752b0000",
+ "state": 4096,
+ "offset": 53991376,
+ "type": 16777216,
+ "size": 16384
+ },
+ {
+ "protect": "r",
+ "end": "0x752c5000",
+ "addr": "0x752c0000",
+ "state": 4096,
+ "offset": 54007784,
+ "type": 16777216,
+ "size": 20480
+ },
+ {
+ "protect": "r",
+ "end": "0x752d1000",
+ "addr": "0x752d0000",
+ "state": 4096,
+ "offset": 54028288,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x7534d000",
+ "addr": "0x752e0000",
+ "state": 4096,
+ "offset": 54032408,
+ "type": 16777216,
+ "size": 446464
+ },
+ {
+ "protect": "rw",
+ "end": "0x75351000",
+ "addr": "0x75350000",
+ "state": 4096,
+ "offset": 54478896,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x753bb000",
+ "addr": "0x75360000",
+ "state": 4096,
+ "offset": 54483016,
+ "type": 16777216,
+ "size": 372736
+ },
+ {
+ "protect": "r",
+ "end": "0x753c4000",
+ "addr": "0x753c0000",
+ "state": 4096,
+ "offset": 54855776,
+ "type": 16777216,
+ "size": 16384
+ },
+ {
+ "protect": "r",
+ "end": "0x753d1000",
+ "addr": "0x753d0000",
+ "state": 4096,
+ "offset": 54872184,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x7542c000",
+ "addr": "0x753d1000",
+ "state": 4096,
+ "offset": 54876304,
+ "type": 16777216,
+ "size": 372736
+ },
+ {
+ "protect": "rw",
+ "end": "0x7542e000",
+ "addr": "0x7542c000",
+ "state": 4096,
+ "offset": 55249064,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x7546d000",
+ "addr": "0x7542e000",
+ "state": 4096,
+ "offset": 55257280,
+ "type": 16777216,
+ "size": 258048
+ },
+ {
+ "protect": "r",
+ "end": "0x75471000",
+ "addr": "0x75470000",
+ "state": 4096,
+ "offset": 55515352,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x75473000",
+ "addr": "0x75471000",
+ "state": 4096,
+ "offset": 55519472,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "rw",
+ "end": "0x75474000",
+ "addr": "0x75473000",
+ "state": 4096,
+ "offset": 55527688,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x75476000",
+ "addr": "0x75474000",
+ "state": 4096,
+ "offset": 55531808,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x75721000",
+ "addr": "0x75720000",
+ "state": 4096,
+ "offset": 55540024,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x75734000",
+ "addr": "0x75721000",
+ "state": 4096,
+ "offset": 55544144,
+ "type": 16777216,
+ "size": 77824
+ },
+ {
+ "protect": "rw",
+ "end": "0x75735000",
+ "addr": "0x75734000",
+ "state": 4096,
+ "offset": 55621992,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x75737000",
+ "addr": "0x75735000",
+ "state": 4096,
+ "offset": 55626112,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x75739000",
+ "addr": "0x75737000",
+ "state": 4096,
+ "offset": 55634328,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x75761000",
+ "addr": "0x75760000",
+ "state": 4096,
+ "offset": 55642544,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x758a7000",
+ "addr": "0x75761000",
+ "state": 4096,
+ "offset": 55646664,
+ "type": 16777216,
+ "size": 1335296
+ },
+ {
+ "protect": "rw",
+ "end": "0x758ab000",
+ "addr": "0x758a7000",
+ "state": 4096,
+ "offset": 56981984,
+ "type": 16777216,
+ "size": 16384
+ },
+ {
+ "protect": "r",
+ "end": "0x758bd000",
+ "addr": "0x758ab000",
+ "state": 4096,
+ "offset": 56998392,
+ "type": 16777216,
+ "size": 73728
+ },
+ {
+ "protect": "r",
+ "end": "0x759a1000",
+ "addr": "0x759a0000",
+ "state": 4096,
+ "offset": 57072144,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x75a25000",
+ "addr": "0x759a1000",
+ "state": 4096,
+ "offset": 57076264,
+ "type": 16777216,
+ "size": 540672
+ },
+ {
+ "protect": "rw",
+ "end": "0x75a26000",
+ "addr": "0x75a25000",
+ "state": 4096,
+ "offset": 57616960,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x75a27000",
+ "addr": "0x75a26000",
+ "state": 4096,
+ "offset": 57621080,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x75a6d000",
+ "addr": "0x75a27000",
+ "state": 4096,
+ "offset": 57625200,
+ "type": 16777216,
+ "size": 286720
+ },
+ {
+ "protect": "r",
+ "end": "0x75a71000",
+ "addr": "0x75a70000",
+ "state": 4096,
+ "offset": 57911944,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x75a78000",
+ "addr": "0x75a71000",
+ "state": 4096,
+ "offset": 57916064,
+ "type": 16777216,
+ "size": 28672
+ },
+ {
+ "protect": "rw",
+ "end": "0x75a79000",
+ "addr": "0x75a78000",
+ "state": 4096,
+ "offset": 57944760,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x75a7b000",
+ "addr": "0x75a79000",
+ "state": 4096,
+ "offset": 57948880,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x75a81000",
+ "addr": "0x75a80000",
+ "state": 4096,
+ "offset": 57957096,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x75ac1000",
+ "addr": "0x75a81000",
+ "state": 4096,
+ "offset": 57961216,
+ "type": 16777216,
+ "size": 262144
+ },
+ {
+ "protect": "rw",
+ "end": "0x75ac3000",
+ "addr": "0x75ac1000",
+ "state": 4096,
+ "offset": 58223384,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x75ac7000",
+ "addr": "0x75ac3000",
+ "state": 4096,
+ "offset": 58231600,
+ "type": 16777216,
+ "size": 16384
+ },
+ {
+ "protect": "r",
+ "end": "0x75c91000",
+ "addr": "0x75c90000",
+ "state": 4096,
+ "offset": 58248008,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x75cb7000",
+ "addr": "0x75ca0000",
+ "state": 4096,
+ "offset": 58252128,
+ "type": 16777216,
+ "size": 94208
+ },
+ {
+ "protect": "rw",
+ "end": "0x75cc1000",
+ "addr": "0x75cc0000",
+ "state": 4096,
+ "offset": 58346360,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x75cd5000",
+ "addr": "0x75cd0000",
+ "state": 4096,
+ "offset": 58350480,
+ "type": 16777216,
+ "size": 20480
+ },
+ {
+ "protect": "r",
+ "end": "0x75ce1000",
+ "addr": "0x75ce0000",
+ "state": 4096,
+ "offset": 58370984,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x75cf1000",
+ "addr": "0x75cf0000",
+ "state": 4096,
+ "offset": 58375104,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x75d64000",
+ "addr": "0x75cf1000",
+ "state": 4096,
+ "offset": 58379224,
+ "type": 16777216,
+ "size": 471040
+ },
+ {
+ "protect": "rw",
+ "end": "0x75d68000",
+ "addr": "0x75d64000",
+ "state": 4096,
+ "offset": 58850288,
+ "type": 16777216,
+ "size": 16384
+ },
+ {
+ "protect": "r",
+ "end": "0x75d91000",
+ "addr": "0x75d68000",
+ "state": 4096,
+ "offset": 58866696,
+ "type": 16777216,
+ "size": 167936
+ },
+ {
+ "protect": "r",
+ "end": "0x75db1000",
+ "addr": "0x75db0000",
+ "state": 4096,
+ "offset": 59034656,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x75e0a000",
+ "addr": "0x75dc0000",
+ "state": 4096,
+ "offset": 59038776,
+ "type": 16777216,
+ "size": 303104
+ },
+ {
+ "protect": "rw",
+ "end": "0x75e11000",
+ "addr": "0x75e10000",
+ "state": 4096,
+ "offset": 59341904,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x75e21000",
+ "addr": "0x75e20000",
+ "state": 4096,
+ "offset": 59346024,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x75e32000",
+ "addr": "0x75e30000",
+ "state": 4096,
+ "offset": 59350144,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x76100000",
+ "addr": "0x760f0000",
+ "state": 4096,
+ "offset": 59358360,
+ "type": 16777216,
+ "size": 65536
+ },
+ {
+ "protect": "rx",
+ "end": "0x761c1000",
+ "addr": "0x76100000",
+ "state": 4096,
+ "offset": 59423920,
+ "type": 16777216,
+ "size": 790528
+ },
+ {
+ "protect": "rw",
+ "end": "0x761d1000",
+ "addr": "0x761d0000",
+ "state": 4096,
+ "offset": 60214472,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x761d2000",
+ "addr": "0x761d1000",
+ "state": 4096,
+ "offset": 60218592,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x761e1000",
+ "addr": "0x761e0000",
+ "state": 4096,
+ "offset": 60222712,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x761fb000",
+ "addr": "0x761f0000",
+ "state": 4096,
+ "offset": 60226832,
+ "type": 16777216,
+ "size": 45056
+ },
+ {
+ "protect": "r",
+ "end": "0x76411000",
+ "addr": "0x76410000",
+ "state": 4096,
+ "offset": 60271912,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x76417000",
+ "addr": "0x76411000",
+ "state": 4096,
+ "offset": 60276032,
+ "type": 16777216,
+ "size": 24576
+ },
+ {
+ "protect": "rw",
+ "end": "0x76418000",
+ "addr": "0x76417000",
+ "state": 4096,
+ "offset": 60300632,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x7641a000",
+ "addr": "0x76418000",
+ "state": 4096,
+ "offset": 60304752,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x76421000",
+ "addr": "0x76420000",
+ "state": 4096,
+ "offset": 60312968,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x76433000",
+ "addr": "0x76421000",
+ "state": 4096,
+ "offset": 60317088,
+ "type": 16777216,
+ "size": 73728
+ },
+ {
+ "protect": "rw",
+ "end": "0x76434000",
+ "addr": "0x76433000",
+ "state": 4096,
+ "offset": 60390840,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x76437000",
+ "addr": "0x76434000",
+ "state": 4096,
+ "offset": 60394960,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "r",
+ "end": "0x76451000",
+ "addr": "0x76450000",
+ "state": 4096,
+ "offset": 60407272,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x764d8000",
+ "addr": "0x76451000",
+ "state": 4096,
+ "offset": 60411392,
+ "type": 16777216,
+ "size": 552960
+ },
+ {
+ "protect": "rw",
+ "end": "0x764da000",
+ "addr": "0x764d8000",
+ "state": 4096,
+ "offset": 60964376,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x764e1000",
+ "addr": "0x764da000",
+ "state": 4096,
+ "offset": 60972592,
+ "type": 16777216,
+ "size": 28672
+ },
+ {
+ "protect": "r",
+ "end": "0x764f1000",
+ "addr": "0x764f0000",
+ "state": 4096,
+ "offset": 61001288,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x76542000",
+ "addr": "0x764f1000",
+ "state": 4096,
+ "offset": 61005408,
+ "type": 16777216,
+ "size": 331776
+ },
+ {
+ "protect": "rw",
+ "end": "0x76543000",
+ "addr": "0x76542000",
+ "state": 4096,
+ "offset": 61337208,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x76547000",
+ "addr": "0x76543000",
+ "state": 4096,
+ "offset": 61341328,
+ "type": 16777216,
+ "size": 16384
+ },
+ {
+ "protect": "r",
+ "end": "0x76551000",
+ "addr": "0x76550000",
+ "state": 4096,
+ "offset": 61357736,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x7691c000",
+ "addr": "0x76551000",
+ "state": 4096,
+ "offset": 61361856,
+ "type": 16777216,
+ "size": 3977216
+ },
+ {
+ "protect": "rw",
+ "end": "0x76920000",
+ "addr": "0x7691c000",
+ "state": 4096,
+ "offset": 65339096,
+ "type": 16777216,
+ "size": 16384
+ },
+ {
+ "protect": "rwc",
+ "end": "0x76923000",
+ "addr": "0x76920000",
+ "state": 4096,
+ "offset": 65355504,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "r",
+ "end": "0x7719c000",
+ "addr": "0x76923000",
+ "state": 4096,
+ "offset": 65367816,
+ "type": 16777216,
+ "size": 8884224
+ },
+ {
+ "protect": "r",
+ "end": "0x771e1000",
+ "addr": "0x771e0000",
+ "state": 4096,
+ "offset": 74252064,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x771e9000",
+ "addr": "0x771e1000",
+ "state": 4096,
+ "offset": 74256184,
+ "type": 16777216,
+ "size": 32768
+ },
+ {
+ "protect": "rw",
+ "end": "0x771ea000",
+ "addr": "0x771e9000",
+ "state": 4096,
+ "offset": 74288976,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x771ec000",
+ "addr": "0x771ea000",
+ "state": 4096,
+ "offset": 74293096,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x77251000",
+ "addr": "0x77250000",
+ "state": 4096,
+ "offset": 74301312,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x772f0000",
+ "addr": "0x77251000",
+ "state": 4096,
+ "offset": 74305432,
+ "type": 16777216,
+ "size": 651264
+ },
+ {
+ "protect": "rw",
+ "end": "0x772f1000",
+ "addr": "0x772f0000",
+ "state": 4096,
+ "offset": 74956720,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x772f2000",
+ "addr": "0x772f1000",
+ "state": 4096,
+ "offset": 74960840,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x772f4000",
+ "addr": "0x772f2000",
+ "state": 4096,
+ "offset": 74964960,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "rwc",
+ "end": "0x772f7000",
+ "addr": "0x772f4000",
+ "state": 4096,
+ "offset": 74973176,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "r",
+ "end": "0x772fc000",
+ "addr": "0x772f7000",
+ "state": 4096,
+ "offset": 74985488,
+ "type": 16777216,
+ "size": 20480
+ },
+ {
+ "protect": "r",
+ "end": "0x77521000",
+ "addr": "0x77520000",
+ "state": 4096,
+ "offset": 75005992,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x7761e000",
+ "addr": "0x77521000",
+ "state": 4096,
+ "offset": 75010112,
+ "type": 16777216,
+ "size": 1036288
+ },
+ {
+ "protect": "r",
+ "end": "0x7764d000",
+ "addr": "0x7761e000",
+ "state": 4096,
+ "offset": 76046424,
+ "type": 16777216,
+ "size": 192512
+ },
+ {
+ "protect": "rw",
+ "end": "0x7764e000",
+ "addr": "0x7764d000",
+ "state": 4096,
+ "offset": 76238960,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x7764f000",
+ "addr": "0x7764e000",
+ "state": 4096,
+ "offset": 76243080,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x77650000",
+ "addr": "0x7764f000",
+ "state": 4096,
+ "offset": 76247200,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x77652000",
+ "addr": "0x77650000",
+ "state": 4096,
+ "offset": 76251320,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "rw",
+ "end": "0x77653000",
+ "addr": "0x77652000",
+ "state": 4096,
+ "offset": 76259536,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x77656000",
+ "addr": "0x77653000",
+ "state": 4096,
+ "offset": 76263656,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "rw",
+ "end": "0x77658000",
+ "addr": "0x77656000",
+ "state": 4096,
+ "offset": 76275968,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "rwc",
+ "end": "0x77659000",
+ "addr": "0x77658000",
+ "state": 4096,
+ "offset": 76284184,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x7765b000",
+ "addr": "0x77659000",
+ "state": 4096,
+ "offset": 76288304,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "r",
+ "end": "0x776ca000",
+ "addr": "0x7765b000",
+ "state": 4096,
+ "offset": 76296520,
+ "type": 16777216,
+ "size": 454656
+ },
+ {
+ "protect": "r",
+ "end": "0x77701000",
+ "addr": "0x77700000",
+ "state": 4096,
+ "offset": 76751200,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rx",
+ "end": "0x777e6000",
+ "addr": "0x77710000",
+ "state": 4096,
+ "offset": 76755320,
+ "type": 16777216,
+ "size": 876544
+ },
+ {
+ "protect": "rx",
+ "end": "0x777f1000",
+ "addr": "0x777f0000",
+ "state": 4096,
+ "offset": 77631888,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x77801000",
+ "addr": "0x77800000",
+ "state": 4096,
+ "offset": 77636008,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "r",
+ "end": "0x77802000",
+ "addr": "0x77801000",
+ "state": 4096,
+ "offset": 77640128,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x77803000",
+ "addr": "0x77802000",
+ "state": 4096,
+ "offset": 77644248,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rwc",
+ "end": "0x77804000",
+ "addr": "0x77803000",
+ "state": 4096,
+ "offset": 77648368,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x77806000",
+ "addr": "0x77804000",
+ "state": 4096,
+ "offset": 77652488,
+ "type": 16777216,
+ "size": 8192
+ },
+ {
+ "protect": "rwc",
+ "end": "0x77807000",
+ "addr": "0x77806000",
+ "state": 4096,
+ "offset": 77660704,
+ "type": 16777216,
+ "size": 4096
+ },
+ {
+ "protect": "rw",
+ "end": "0x7780a000",
+ "addr": "0x77807000",
+ "state": 4096,
+ "offset": 77664824,
+ "type": 16777216,
+ "size": 12288
+ },
+ {
+ "protect": "r",
+ "end": "0x7786b000",
+ "addr": "0x77810000",
+ "state": 4096,
+ "offset": 77677136,
+ "type": 16777216,
+ "size": 372736
+ },
+ {
+ "protect": "r",
+ "end": "0x77875000",
+ "addr": "0x77870000",
+ "state": 4096,
+ "offset": 78049896,
+ "type": 16777216,
+ "size": 20480
+ },
+ {
+ "protect": "r",
+ "end": "0x7efe5000",
+ "addr": "0x7efe0000",
+ "state": 4096,
+ "offset": 78070400,
+ "type": 262144,
+ "size": 20480
+ },
+ {
+ "protect": "r",
+ "end": "0x7ffe1000",
+ "addr": "0x7ffe0000",
+ "state": 4096,
+ "offset": 78090904,
+ "type": 131072,
+ "size": 4096
+ }
+ ],
+ "yara": [],
+ "num": 2,
+ "file": "/home/jean/.cuckoo/storage/analyses/5/memory/2852-2.dmp",
+ "urls": [
+ "https://docs.microsoft.com/en-us/windows/desktop/wer/wer-settings",
+ "https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date",
+ "https://msit.powerbi.com/groups/8d49da43-4dea-44a3-ac7a-9a4351e92cc3/reports/ad136270-8017-4dec-a0b7-248102dd3579/ReportSection2",
+ "https://portal.office.com/"
+ ],
+ "extracted": [
+ {
+ "yara": [
+ {
+ "meta": {
+ "description": "(no description)"
+ },
+ "name": "loki",
+ "offsets": {
+ "var1": [
+ [
+ 91,
+ 0
+ ],
+ [
+ 22964266,
+ 0
+ ],
+ [
+ 23078871,
+ 0
+ ],
+ [
+ 23079025,
+ 0
+ ],
+ [
+ 23148175,
+ 0
+ ],
+ [
+ 23150376,
+ 0
+ ],
+ [
+ 23380927,
+ 0
+ ],
+ [
+ 23381060,
+ 0
+ ],
+ [
+ 23381406,
+ 0
+ ],
+ [
+ 23381484,
+ 0
+ ],
+ [
+ 23384532,
+ 0
+ ],
+ [
+ 23518731,
+ 0
+ ],
+ [
+ 23519668,
+ 0
+ ],
+ [
+ 23522789,
+ 0
+ ],
+ [
+ 23522811,
+ 0
+ ],
+ [
+ 23529820,
+ 0
+ ],
+ [
+ 23533114,
+ 0
+ ],
+ [
+ 23537053,
+ 0
+ ],
+ [
+ 23572944,
+ 0
+ ],
+ [
+ 23820720,
+ 0
+ ],
+ [
+ 23831865,
+ 0
+ ],
+ [
+ 23831889,
+ 0
+ ],
+ [
+ 23849301,
+ 0
+ ]
+ ]
+ },
+ "strings": [
+ "Y2Fubm90"
+ ]
+ }
+ ],
+ "sha1": "0817974a72ce477537dc197d168f7abd0df8cef7",
+ "name": "2852-0817974a72ce4775.exe_",
+ "type": "PE32 executable (GUI) Intel 80386, for MS Windows",
+ "sha256": "89db6b9428fbf7ecdbf59be0d0757bf00fe63ced3ff24646431b70995c64b1b4",
+ "urls": [
+ "https://docs.microsoft.com/en-us/windows/desktop/wer/wer-settings",
+ "https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date",
+ "https://msit.powerbi.com/groups/8d49da43-4dea-44a3-ac7a-9a4351e92cc3/reports/ad136270-8017-4dec-a0b7-248102dd3579/ReportSection2",
+ "https://portal.office.com/"
+ ],
+ "crc32": "59BB0CAB",
+ "path": "/home/jean/.cuckoo/storage/analyses/5/memory/2852-0817974a72ce4775.exe_",
+ "ssdeep": null,
+ "size": 30797824,
+ "sha512": "2bb5834b8302d4b153153c57d6e23f3d28410e288b74812d90cbbbcf1069e0a874849e88ad3997ebef6c97ef1fa984fd297ad7ec32c8dab94406c2142828e107",
+ "md5": "b5922ec6f3b94cfdb7135ef77b09677d"
+ }
+ ],
+ "pid": 2852
+ }
+ ],
+ "target": {
+ "category": "file",
+ "file": {
+ "yara": [],
+ "sha1": "398ed1939fa77de6c1f2ec3ada1446431fe3bb70",
+ "name": "test.msg",
+ "type": "CDFV2 Microsoft Outlook Message",
+ "sha256": "0495ee8bf16f65882f016317a912ebf033d2dfd204f48fd081a190f7093b0052",
+ "urls": [
+ "https://google.fr"
+ ],
+ "crc32": "1A87D00F",
+ "path": "/home/jean/.cuckoo/storage/binaries/0495ee8bf16f65882f016317a912ebf033d2dfd204f48fd081a190f7093b0052",
+ "ssdeep": null,
+ "size": 24576,
+ "sha512": "1f930ca0496ed41325ac3ab4ebf930b08b80bdd8ffa6a4a38d31bec32c472ab60a338d2b7284696c69ac1e1687dd7d09089812832f825193a242b20715c21a08",
+ "md5": "2236de30c6b066ad5be3544ff6512c69"
+ }
+ },
+ "extracted": [
+ {
+ "category": "script",
+ "yara": [],
+ "info": {},
+ "pid": 2916,
+ "raw": "/home/jean/.cuckoo/storage/analyses/5/extracted/0.bat",
+ "program": "cmd",
+ "first_seen": 1613475151.765625
+ }
+ ],
+ "virustotal": {
+ "summary": {
+ "error": "resource has not been scanned yet"
+ }
+ },
+ "network": {
+ "mitm": []
+ },
+ "signatures": [
+ {
+ "families": [],
+ "description": "One or more processes crashed",
+ "severity": 1,
+ "ttp": {},
+ "markcount": 1,
+ "references": [],
+ "marks": [
+ {
+ "call": {
+ "category": "__notification__",
+ "status": 1,
+ "stacktrace": [],
+ "raw": [
+ "stacktrace"
+ ],
+ "api": "__exception__",
+ "return_value": 0,
+ "arguments": {
+ "stacktrace": "RtlpNtEnumerateSubKey+0x2a2c isupper-0x4e13 ntdll+0xcf761 @ 0x777cf761\nRtlpNtEnumerateSubKey+0x2b0c isupper-0x4d33 ntdll+0xcf841 @ 0x777cf841\nRtlpNtEnumerateSubKey+0x2d75 isupper-0x4aca ntdll+0xcfaaa @ 0x777cfaaa\nRtlUlonglongByteSwap+0xc68f RtlFreeOemString-0x15283 ntdll+0x8939f @ 0x7778939f\nRtlDecodeSystemPointer+0x5db RtlCompareUnicodeStrings-0x1f7 ntdll+0x3ad93 @ 0x7773ad93\nRtlDecodeSystemPointer+0x546 RtlCompareUnicodeStrings-0x28c ntdll+0x3acfe @ 0x7773acfe\nRtlQueryPerformanceCounter+0xadd RtlDeleteCriticalSection-0x92c ntdll+0x33441 @ 0x77733441\nLdrUnlockLoaderLock+0xf6a RtlInitUnicodeStringEx-0x1c0 ntdll+0x37f0c @ 0x77737f0c\nLdrUnlockLoaderLock+0x1af RtlInitUnicodeStringEx-0xf7b ntdll+0x37151 @ 0x77737151\nRtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e172 @ 0x7772e172\nmalloc+0x2b free-0x15 ucrtbase+0x2f7cb @ 0x6e3ef7cb\n_IsOutlookOutsideWinMain@0-0x8114f outlook+0x3005 @ 0x143005\n_IsOutlookOutsideWinMain@0-0x80f62 outlook+0x31f2 @ 0x1431f2\n_IsOutlookOutsideWinMain@0-0x80046 outlook+0x410e @ 0x14410e\n_IsOutlookOutsideWinMain@0-0x800f2 outlook+0x4062 @ 0x144062\n_IsOutlookOutsideWinMain@0-0x7cc79 outlook+0x74db @ 0x1474db\n_initterm+0x6d _rmtmp-0x63 ucrtbase+0x272cd @ 0x6e3e72cd\n_IsOutlookOutsideWinMain@0-0x83086 outlook+0x10ce @ 0x1410ce\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x7610336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x777398f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x777398c5",
+ "registers": {
+ "esp": 35059896,
+ "edi": 39903200,
+ "eax": 35059912,
+ "ebp": 35060016,
+ "edx": 0,
+ "ebx": 0,
+ "esi": 39124992,
+ "ecx": 2147483647
+ },
+ "exception": {
+ "instruction_r": "eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff",
+ "symbol": "RtlpNtEnumerateSubKey+0x1b26 isupper-0x5d19 ntdll+0xce85b",
+ "instruction": "jmp 0x777ce86f",
+ "module": "ntdll.dll",
+ "exception_code": "0xc0000374",
+ "offset": 845915,
+ "address": "0x777ce85b"
+ }
+ },
+ "time": 1613475153.04675,
+ "tid": 3548,
+ "flags": {}
+ },
+ "pid": 2852,
+ "type": "call",
+ "cid": 8
+ }
+ ],
+ "name": "raises_exception"
+ },
+ {
+ "families": [],
+ "description": "Potentially malicious URLs were found in the process memory dump",
+ "severity": 2,
+ "ttp": {},
+ "markcount": 4,
+ "references": [],
+ "marks": [
+ {
+ "category": "url",
+ "ioc": "https://docs.microsoft.com/en-us/windows/desktop/wer/wer-settings",
+ "type": "ioc",
+ "description": null
+ },
+ {
+ "category": "url",
+ "ioc": "https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date",
+ "type": "ioc",
+ "description": null
+ },
+ {
+ "category": "url",
+ "ioc": "https://msit.powerbi.com/groups/8d49da43-4dea-44a3-ac7a-9a4351e92cc3/reports/ad136270-8017-4dec-a0b7-248102dd3579/ReportSection2",
+ "type": "ioc",
+ "description": null
+ },
+ {
+ "category": "url",
+ "ioc": "https://portal.office.com/",
+ "type": "ioc",
+ "description": null
+ }
+ ],
+ "name": "memdump_urls"
+ }
+ ],
+ "behavior": {
+ "generic": [
+ {
+ "process_path": "C:\\Windows\\System32\\lsass.exe",
+ "process_name": "lsass.exe",
+ "pid": 504,
+ "summary": {},
+ "first_seen": 1613475151.515625,
+ "ppid": 396
+ },
+ {
+ "process_path": "C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE",
+ "process_name": "OUTLOOK.EXE",
+ "pid": 2852,
+ "summary": {},
+ "first_seen": 1613475152.96875,
+ "ppid": 2916
+ },
+ {
+ "process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
+ "process_name": "cmd.exe",
+ "pid": 2916,
+ "summary": {},
+ "first_seen": 1613475151.765625,
+ "ppid": 3848
+ }
+ ],
+ "apistats": {
+ "2852": {
+ "NtCreateSection": 1,
+ "GetSystemTimeAsFileTime": 1,
+ "NtUnmapViewOfSection": 1,
+ "LdrGetProcedureAddress": 3,
+ "SetUnhandledExceptionFilter": 1,
+ "__exception__": 1,
+ "NtFreeVirtualMemory": 1,
+ "NtClose": 4,
+ "NtAllocateVirtualMemory": 3,
+ "NtTerminateProcess": 1,
+ "LdrGetDllHandle": 1,
+ "NtMapViewOfSection": 1
+ }
+ },
+ "processes": [
+ {
+ "process_path": "C:\\Windows\\System32\\lsass.exe",
+ "calls": [],
+ "track": false,
+ "pid": 504,
+ "process_name": "lsass.exe",
+ "command_line": "C:\\Windows\\system32\\lsass.exe",
+ "modules": [
+ {
+ "basename": "lsass.exe",
+ "imgsize": 49152,
+ "baseaddr": "0xffea0000",
+ "filepath": "C:\\Windows\\system32\\lsass.exe"
+ },
+ {
+ "basename": "ntdll.dll",
+ "imgsize": 1744896,
+ "baseaddr": "0x77520000",
+ "filepath": "C:\\Windows\\SYSTEM32\\ntdll.dll"
+ },
+ {
+ "basename": "kernel32.dll",
+ "imgsize": 1175552,
+ "baseaddr": "0x77400000",
+ "filepath": "C:\\Windows\\system32\\kernel32.dll"
+ },
+ {
+ "basename": "KERNELBASE.dll",
+ "imgsize": 434176,
+ "baseaddr": "0x7fefd360000",
+ "filepath": "C:\\Windows\\system32\\KERNELBASE.dll"
+ },
+ {
+ "basename": "msvcrt.dll",
+ "imgsize": 651264,
+ "baseaddr": "0x7fefd680000",
+ "filepath": "C:\\Windows\\system32\\msvcrt.dll"
+ },
+ {
+ "basename": "RPCRT4.dll",
+ "imgsize": 1232896,
+ "baseaddr": "0x7fefe710000",
+ "filepath": "C:\\Windows\\system32\\RPCRT4.dll"
+ },
+ {
+ "basename": "SspiSrv.dll",
+ "imgsize": 45056,
+ "baseaddr": "0x7fefcfd0000",
+ "filepath": "C:\\Windows\\system32\\SspiSrv.dll"
+ },
+ {
+ "basename": "lsasrv.dll",
+ "imgsize": 1482752,
+ "baseaddr": "0x7fefce50000",
+ "filepath": "C:\\Windows\\system32\\lsasrv.dll"
+ },
+ {
+ "basename": "sechost.dll",
+ "imgsize": 126976,
+ "baseaddr": "0x7fefe480000",
+ "filepath": "C:\\Windows\\SYSTEM32\\sechost.dll"
+ },
+ {
+ "basename": "SspiCli.dll",
+ "imgsize": 151552,
+ "baseaddr": "0x7fefcfe0000",
+ "filepath": "C:\\Windows\\system32\\SspiCli.dll"
+ },
+ {
+ "basename": "ADVAPI32.dll",
+ "imgsize": 897024,
+ "baseaddr": "0x7fefd9d0000",
+ "filepath": "C:\\Windows\\system32\\ADVAPI32.dll"
+ },
+ {
+ "basename": "USER32.dll",
+ "imgsize": 1024000,
+ "baseaddr": "0x77300000",
+ "filepath": "C:\\Windows\\system32\\USER32.dll"
+ },
+ {
+ "basename": "GDI32.dll",
+ "imgsize": 421888,
+ "baseaddr": "0x7feff7c0000",
+ "filepath": "C:\\Windows\\system32\\GDI32.dll"
+ },
+ {
+ "basename": "LPK.dll",
+ "imgsize": 57344,
+ "baseaddr": "0x7fefd5d0000",
+ "filepath": "C:\\Windows\\system32\\LPK.dll"
+ },
+ {
+ "basename": "USP10.dll",
+ "imgsize": 831488,
+ "baseaddr": "0x7fefdab0000",
+ "filepath": "C:\\Windows\\system32\\USP10.dll"
+ },
+ {
+ "basename": "SAMSRV.dll",
+ "imgsize": 790528,
+ "baseaddr": "0x7fefcd50000",
+ "filepath": "C:\\Windows\\system32\\SAMSRV.dll"
+ },
+ {
+ "basename": "cryptdll.dll",
+ "imgsize": 81920,
+ "baseaddr": "0x7fefcd20000",
+ "filepath": "C:\\Windows\\system32\\cryptdll.dll"
+ },
+ {
+ "basename": "MSASN1.dll",
+ "imgsize": 61440,
+ "baseaddr": "0x7fefd210000",
+ "filepath": "C:\\Windows\\system32\\MSASN1.dll"
+ },
+ {
+ "basename": "wevtapi.dll",
+ "imgsize": 446464,
+ "baseaddr": "0x7fefcc40000",
+ "filepath": "C:\\Windows\\system32\\wevtapi.dll"
+ },
+ {
+ "basename": "IMM32.DLL",
+ "imgsize": 188416,
+ "baseaddr": "0x7fefde50000",
+ "filepath": "C:\\Windows\\system32\\IMM32.DLL"
+ },
+ {
+ "basename": "MSCTF.dll",
+ "imgsize": 1085440,
+ "baseaddr": "0x7fefe840000",
+ "filepath": "C:\\Windows\\system32\\MSCTF.dll"
+ },
+ {
+ "basename": "cngaudit.dll",
+ "imgsize": 36864,
+ "baseaddr": "0x7fefcc00000",
+ "filepath": "C:\\Windows\\system32\\cngaudit.dll"
+ },
+ {
+ "basename": "AUTHZ.dll",
+ "imgsize": 192512,
+ "baseaddr": "0x7fefcbd0000",
+ "filepath": "C:\\Windows\\system32\\AUTHZ.dll"
+ },
+ {
+ "basename": "ncrypt.dll",
+ "imgsize": 327680,
+ "baseaddr": "0x7fefcb80000",
+ "filepath": "C:\\Windows\\system32\\ncrypt.dll"
+ },
+ {
+ "basename": "bcrypt.dll",
+ "imgsize": 139264,
+ "baseaddr": "0x7fefcb50000",
+ "filepath": "C:\\Windows\\system32\\bcrypt.dll"
+ },
+ {
+ "basename": "msprivs.DLL",
+ "imgsize": 8192,
+ "baseaddr": "0x74f80000",
+ "filepath": "C:\\Windows\\system32\\msprivs.DLL"
+ },
+ {
+ "basename": "netjoin.dll",
+ "imgsize": 204800,
+ "baseaddr": "0x7fefcb10000",
+ "filepath": "C:\\Windows\\system32\\netjoin.dll"
+ },
+ {
+ "basename": "negoexts.DLL",
+ "imgsize": 147456,
+ "baseaddr": "0x7fefcae0000",
+ "filepath": "C:\\Windows\\system32\\negoexts.DLL"
+ },
+ {
+ "basename": "Secur32.dll",
+ "imgsize": 45056,
+ "baseaddr": "0x7fefcd40000",
+ "filepath": "C:\\Windows\\system32\\Secur32.dll"
+ },
+ {
+ "basename": "cryptbase.dll",
+ "imgsize": 61440,
+ "baseaddr": "0x7fefd070000",
+ "filepath": "C:\\Windows\\system32\\cryptbase.dll"
+ },
+ {
+ "basename": "kerberos.DLL",
+ "imgsize": 753664,
+ "baseaddr": "0x7fefca20000",
+ "filepath": "C:\\Windows\\system32\\kerberos.DLL"
+ },
+ {
+ "basename": "CRYPTSP.dll",
+ "imgsize": 98304,
+ "baseaddr": "0x7fefca00000",
+ "filepath": "C:\\Windows\\system32\\CRYPTSP.dll"
+ },
+ {
+ "basename": "WS2_32.dll",
+ "imgsize": 315392,
+ "baseaddr": "0x7fefe100000",
+ "filepath": "C:\\Windows\\system32\\WS2_32.dll"
+ },
+ {
+ "basename": "NSI.dll",
+ "imgsize": 32768,
+ "baseaddr": "0x7fefe520000",
+ "filepath": "C:\\Windows\\system32\\NSI.dll"
+ },
+ {
+ "basename": "mswsock.dll",
+ "imgsize": 348160,
+ "baseaddr": "0x7fefc9a0000",
+ "filepath": "C:\\Windows\\system32\\mswsock.dll"
+ },
+ {
+ "basename": "wship6.dll",
+ "imgsize": 28672,
+ "baseaddr": "0x7fefc990000",
+ "filepath": "C:\\Windows\\System32\\wship6.dll"
+ },
+ {
+ "basename": "msv1_0.DLL",
+ "imgsize": 335872,
+ "baseaddr": "0x7fefc930000",
+ "filepath": "C:\\Windows\\system32\\msv1_0.DLL"
+ },
+ {
+ "basename": "netlogon.DLL",
+ "imgsize": 712704,
+ "baseaddr": "0x7fefc880000",
+ "filepath": "C:\\Windows\\system32\\netlogon.DLL"
+ },
+ {
+ "basename": "DNSAPI.dll",
+ "imgsize": 372736,
+ "baseaddr": "0x7fefc820000",
+ "filepath": "C:\\Windows\\system32\\DNSAPI.dll"
+ },
+ {
+ "basename": "logoncli.dll",
+ "imgsize": 196608,
+ "baseaddr": "0x7fefc7f0000",
+ "filepath": "C:\\Windows\\system32\\logoncli.dll"
+ },
+ {
+ "basename": "schannel.DLL",
+ "imgsize": 360448,
+ "baseaddr": "0x7fefc790000",
+ "filepath": "C:\\Windows\\system32\\schannel.DLL"
+ },
+ {
+ "basename": "CRYPT32.dll",
+ "imgsize": 1495040,
+ "baseaddr": "0x7fefd3e0000",
+ "filepath": "C:\\Windows\\system32\\CRYPT32.dll"
+ },
+ {
+ "basename": "wdigest.DLL",
+ "imgsize": 221184,
+ "baseaddr": "0x7fefc750000",
+ "filepath": "C:\\Windows\\system32\\wdigest.DLL"
+ },
+ {
+ "basename": "rsaenh.dll",
+ "imgsize": 290816,
+ "baseaddr": "0x7fefc700000",
+ "filepath": "C:\\Windows\\system32\\rsaenh.dll"
+ },
+ {
+ "basename": "tspkg.DLL",
+ "imgsize": 102400,
+ "baseaddr": "0x7fefc6e0000",
+ "filepath": "C:\\Windows\\system32\\tspkg.DLL"
+ },
+ {
+ "basename": "pku2u.DLL",
+ "imgsize": 282624,
+ "baseaddr": "0x7fefc690000",
+ "filepath": "C:\\Windows\\system32\\pku2u.DLL"
+ },
+ {
+ "basename": "bcryptprimitives.dll",
+ "imgsize": 311296,
+ "baseaddr": "0x7fefc640000",
+ "filepath": "C:\\Windows\\system32\\bcryptprimitives.dll"
+ },
+ {
+ "basename": "RpcRtRemote.dll",
+ "imgsize": 81920,
+ "baseaddr": "0x7fefd160000",
+ "filepath": "C:\\Windows\\system32\\RpcRtRemote.dll"
+ },
+ {
+ "basename": "efslsaext.dll",
+ "imgsize": 73728,
+ "baseaddr": "0x7fefc620000",
+ "filepath": "C:\\Windows\\system32\\efslsaext.dll"
+ },
+ {
+ "basename": "scecli.DLL",
+ "imgsize": 253952,
+ "baseaddr": "0x7fefc5c0000",
+ "filepath": "C:\\Windows\\system32\\scecli.DLL"
+ },
+ {
+ "basename": "credssp.dll",
+ "imgsize": 40960,
+ "baseaddr": "0x7fefc600000",
+ "filepath": "C:\\Windows\\system32\\credssp.dll"
+ },
+ {
+ "basename": "WINSTA.dll",
+ "imgsize": 249856,
+ "baseaddr": "0x7fefd120000",
+ "filepath": "C:\\Windows\\system32\\WINSTA.dll"
+ },
+ {
+ "basename": "IPHLPAPI.DLL",
+ "imgsize": 159744,
+ "baseaddr": "0x7fefc440000",
+ "filepath": "C:\\Windows\\system32\\IPHLPAPI.DLL"
+ },
+ {
+ "basename": "WINNSI.DLL",
+ "imgsize": 45056,
+ "baseaddr": "0x7fefc430000",
+ "filepath": "C:\\Windows\\system32\\WINNSI.DLL"
+ },
+ {
+ "basename": "netutils.dll",
+ "imgsize": 49152,
+ "baseaddr": "0x7fefafd0000",
+ "filepath": "C:\\Windows\\system32\\netutils.dll"
+ },
+ {
+ "basename": "wkscli.dll",
+ "imgsize": 86016,
+ "baseaddr": "0x7fefafa0000",
+ "filepath": "C:\\Windows\\system32\\wkscli.dll"
+ },
+ {
+ "basename": "USERENV.dll",
+ "imgsize": 122880,
+ "baseaddr": "0x7fefd250000",
+ "filepath": "C:\\Windows\\system32\\USERENV.dll"
+ },
+ {
+ "basename": "profapi.dll",
+ "imgsize": 61440,
+ "baseaddr": "0x7fefd220000",
+ "filepath": "C:\\Windows\\system32\\profapi.dll"
+ },
+ {
+ "basename": "wshtcpip.dll",
+ "imgsize": 28672,
+ "baseaddr": "0x7fefc300000",
+ "filepath": "C:\\Windows\\System32\\wshtcpip.dll"
+ },
+ {
+ "basename": "dssenh.dll",
+ "imgsize": 204800,
+ "baseaddr": "0x7fef1c60000",
+ "filepath": "C:\\Windows\\system32\\dssenh.dll"
+ },
+ {
+ "basename": "GPAPI.dll",
+ "imgsize": 110592,
+ "baseaddr": "0x7fefc4b0000",
+ "filepath": "C:\\Windows\\system32\\GPAPI.dll"
+ },
+ {
+ "basename": "monitor-x64.dll",
+ "imgsize": 2269184,
+ "baseaddr": "0x6e6b0000",
+ "filepath": "C:\\tmped72ov\\bin\\monitor-x64.dll"
+ }
+ ],
+ "time": 0,
+ "tid": 388,
+ "first_seen": 1613475151.515625,
+ "ppid": 396,
+ "type": "process"
+ },
+ {
+ "process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
+ "calls": [],
+ "track": true,
+ "pid": 2916,
+ "process_name": "cmd.exe",
+ "command_line": "\"C:\\Windows\\System32\\cmd.exe\" /c start /wait \"EOQNXBK\" C:\\Users\\mes-vms\\AppData\\Local\\Temp\\test.msg",
+ "modules": [
+ {
+ "basename": "cmd.exe",
+ "imgsize": 311296,
+ "baseaddr": "0x4a440000",
+ "filepath": "C:\\Windows\\SysWOW64\\cmd.exe"
+ },
+ {
+ "basename": "ntdll.dll",
+ "imgsize": 1572864,
+ "baseaddr": "0x77700000",
+ "filepath": "C:\\Windows\\SysWOW64\\ntdll.dll"
+ },
+ {
+ "basename": "kernel32.dll",
+ "imgsize": 1114112,
+ "baseaddr": "0x760f0000",
+ "filepath": "C:\\Windows\\syswow64\\kernel32.dll"
+ },
+ {
+ "basename": "KERNELBASE.dll",
+ "imgsize": 290816,
+ "baseaddr": "0x75a80000",
+ "filepath": "C:\\Windows\\syswow64\\KERNELBASE.dll"
+ },
+ {
+ "basename": "msvcrt.dll",
+ "imgsize": 704512,
+ "baseaddr": "0x77250000",
+ "filepath": "C:\\Windows\\syswow64\\msvcrt.dll"
+ },
+ {
+ "basename": "WINBRAND.dll",
+ "imgsize": 28672,
+ "baseaddr": "0x73c40000",
+ "filepath": "C:\\Windows\\System32\\WINBRAND.dll"
+ },
+ {
+ "basename": "USER32.dll",
+ "imgsize": 1048576,
+ "baseaddr": "0x752d0000",
+ "filepath": "C:\\Windows\\syswow64\\USER32.dll"
+ },
+ {
+ "basename": "GDI32.dll",
+ "imgsize": 589824,
+ "baseaddr": "0x75db0000",
+ "filepath": "C:\\Windows\\syswow64\\GDI32.dll"
+ },
+ {
+ "basename": "LPK.dll",
+ "imgsize": 40960,
+ "baseaddr": "0x76410000",
+ "filepath": "C:\\Windows\\syswow64\\LPK.dll"
+ },
+ {
+ "basename": "USP10.dll",
+ "imgsize": 643072,
+ "baseaddr": "0x753d0000",
+ "filepath": "C:\\Windows\\syswow64\\USP10.dll"
+ },
+ {
+ "basename": "ADVAPI32.dll",
+ "imgsize": 659456,
+ "baseaddr": "0x75cf0000",
+ "filepath": "C:\\Windows\\syswow64\\ADVAPI32.dll"
+ },
+ {
+ "basename": "sechost.dll",
+ "imgsize": 102400,
+ "baseaddr": "0x75720000",
+ "filepath": "C:\\Windows\\SysWOW64\\sechost.dll"
+ },
+ {
+ "basename": "RPCRT4.dll",
+ "imgsize": 983040,
+ "baseaddr": "0x751e0000",
+ "filepath": "C:\\Windows\\syswow64\\RPCRT4.dll"
+ },
+ {
+ "basename": "SspiCli.dll",
+ "imgsize": 393216,
+ "baseaddr": "0x74fa0000",
+ "filepath": "C:\\Windows\\syswow64\\SspiCli.dll"
+ },
+ {
+ "basename": "CRYPTBASE.dll",
+ "imgsize": 49152,
+ "baseaddr": "0x74f90000",
+ "filepath": "C:\\Windows\\syswow64\\CRYPTBASE.dll"
+ },
+ {
+ "basename": "IMM32.DLL",
+ "imgsize": 393216,
+ "baseaddr": "0x75c90000",
+ "filepath": "C:\\Windows\\system32\\IMM32.DLL"
+ },
+ {
+ "basename": "MSCTF.dll",
+ "imgsize": 839680,
+ "baseaddr": "0x759a0000",
+ "filepath": "C:\\Windows\\syswow64\\MSCTF.dll"
+ },
+ {
+ "basename": "monitor-x86.dll",
+ "imgsize": 2117632,
+ "baseaddr": "0x6e4a0000",
+ "filepath": "C:\\tmped72ov\\bin\\monitor-x86.dll"
+ }
+ ],
+ "time": 0,
+ "tid": 3908,
+ "first_seen": 1613475151.765625,
+ "ppid": 3848,
+ "type": "process"
+ },
+ {
+ "process_path": "C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE",
+ "calls": [
+ {
+ "category": "synchronisation",
+ "status": 1,
+ "stacktrace": [],
+ "api": "GetSystemTimeAsFileTime",
+ "return_value": 0,
+ "arguments": {},
+ "time": 1613475153.04675,
+ "tid": 3548,
+ "flags": {}
+ },
+ {
+ "category": "system",
+ "status": 1,
+ "stacktrace": [],
+ "api": "LdrGetDllHandle",
+ "return_value": 0,
+ "arguments": {
+ "module_name": "api-ms-win-core-synch-l1-2-0.dll",
+ "stack_pivoted": 0,
+ "module_address": "0x72cc0000"
+ },
+ "time": 1613475153.04675,
+ "tid": 3548,
+ "flags": {}
+ },
+ {
+ "category": "system",
+ "status": 1,
+ "stacktrace": [],
+ "api": "LdrGetProcedureAddress",
+ "return_value": 0,
+ "arguments": {
+ "ordinal": 0,
+ "module": "api-ms-win-core-synch-l1-2-0",
+ "module_address": "0x72cc0000",
+ "function_address": "0x77738461",
+ "function_name": "InitializeConditionVariable"
+ },
+ "time": 1613475153.04675,
+ "tid": 3548,
+ "flags": {}
+ },
+ {
+ "category": "system",
+ "status": 1,
+ "stacktrace": [],
+ "api": "LdrGetProcedureAddress",
+ "return_value": 0,
+ "arguments": {
+ "ordinal": 0,
+ "module": "api-ms-win-core-synch-l1-2-0",
+ "module_address": "0x72cc0000",
+ "function_address": "0x761852b2",
+ "function_name": "SleepConditionVariableCS"
+ },
+ "time": 1613475153.04675,
+ "tid": 3548,
+ "flags": {}
+ },
+ {
+ "category": "system",
+ "status": 1,
+ "stacktrace": [],
+ "api": "LdrGetProcedureAddress",
+ "return_value": 0,
+ "arguments": {
+ "ordinal": 0,
+ "module": "api-ms-win-core-synch-l1-2-0",
+ "module_address": "0x72cc0000",
+ "function_address": "0x77763b17",
+ "function_name": "WakeAllConditionVariable"
+ },
+ "time": 1613475153.04675,
+ "tid": 3548,
+ "flags": {}
+ },
+ {
+ "category": "exception",
+ "status": 0,
+ "stacktrace": [],
+ "last_error": 0,
+ "nt_status": -1073741515,
+ "api": "SetUnhandledExceptionFilter",
+ "return_value": 0,
+ "arguments": {},
+ "time": 1613475153.04675,
+ "tid": 3548,
+ "flags": {}
+ },
+ {
+ "category": "process",
+ "status": 1,
+ "stacktrace": [],
+ "api": "NtAllocateVirtualMemory",
+ "return_value": 0,
+ "arguments": {
+ "process_identifier": 2852,
+ "region_size": 16384,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0,
+ "heap_dep_bypass": 0,
+ "protection": 4,
+ "process_handle": "0xffffffff",
+ "allocation_type": 4096,
+ "base_address": "0x0260a000"
+ },
+ "time": 1613475153.04675,
+ "tid": 3548,
+ "flags": {
+ "protection": "PAGE_READWRITE",
+ "allocation_type": "MEM_COMMIT"
+ }
+ },
+ {
+ "category": "process",
+ "status": 1,
+ "stacktrace": [],
+ "api": "NtAllocateVirtualMemory",
+ "return_value": 0,
+ "arguments": {
+ "process_identifier": 2852,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0,
+ "heap_dep_bypass": 0,
+ "protection": 4,
+ "process_handle": "0xffffffff",
+ "allocation_type": 4096,
+ "base_address": "0x0260e000"
+ },
+ "time": 1613475153.04675,
+ "tid": 3548,
+ "flags": {
+ "protection": "PAGE_READWRITE",
+ "allocation_type": "MEM_COMMIT"
+ }
+ },
+ {
+ "category": "__notification__",
+ "status": 1,
+ "stacktrace": [],
+ "api": "__exception__",
+ "return_value": 0,
+ "arguments": {
+ "stacktrace": [
+ "RtlpNtEnumerateSubKey+0x2a2c isupper-0x4e13 ntdll+0xcf761 @ 0x777cf761",
+ "RtlpNtEnumerateSubKey+0x2b0c isupper-0x4d33 ntdll+0xcf841 @ 0x777cf841",
+ "RtlpNtEnumerateSubKey+0x2d75 isupper-0x4aca ntdll+0xcfaaa @ 0x777cfaaa",
+ "RtlUlonglongByteSwap+0xc68f RtlFreeOemString-0x15283 ntdll+0x8939f @ 0x7778939f",
+ "RtlDecodeSystemPointer+0x5db RtlCompareUnicodeStrings-0x1f7 ntdll+0x3ad93 @ 0x7773ad93",
+ "RtlDecodeSystemPointer+0x546 RtlCompareUnicodeStrings-0x28c ntdll+0x3acfe @ 0x7773acfe",
+ "RtlQueryPerformanceCounter+0xadd RtlDeleteCriticalSection-0x92c ntdll+0x33441 @ 0x77733441",
+ "LdrUnlockLoaderLock+0xf6a RtlInitUnicodeStringEx-0x1c0 ntdll+0x37f0c @ 0x77737f0c",
+ "LdrUnlockLoaderLock+0x1af RtlInitUnicodeStringEx-0xf7b ntdll+0x37151 @ 0x77737151",
+ "RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e172 @ 0x7772e172",
+ "malloc+0x2b free-0x15 ucrtbase+0x2f7cb @ 0x6e3ef7cb",
+ "_IsOutlookOutsideWinMain@0-0x8114f outlook+0x3005 @ 0x143005",
+ "_IsOutlookOutsideWinMain@0-0x80f62 outlook+0x31f2 @ 0x1431f2",
+ "_IsOutlookOutsideWinMain@0-0x80046 outlook+0x410e @ 0x14410e",
+ "_IsOutlookOutsideWinMain@0-0x800f2 outlook+0x4062 @ 0x144062",
+ "_IsOutlookOutsideWinMain@0-0x7cc79 outlook+0x74db @ 0x1474db",
+ "_initterm+0x6d _rmtmp-0x63 ucrtbase+0x272cd @ 0x6e3e72cd",
+ "_IsOutlookOutsideWinMain@0-0x83086 outlook+0x10ce @ 0x1410ce",
+ "BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x7610336a",
+ "RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x777398f2",
+ "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x777398c5"
+ ],
+ "registers": {
+ "esp": 35059896,
+ "edi": 39903200,
+ "eax": 35059912,
+ "ebp": 35060016,
+ "edx": 0,
+ "ebx": 0,
+ "esi": 39124992,
+ "ecx": 2147483647
+ },
+ "exception": {
+ "instruction_r": "eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff",
+ "symbol": "RtlpNtEnumerateSubKey+0x1b26 isupper-0x5d19 ntdll+0xce85b",
+ "instruction": "jmp 0x777ce86f",
+ "module": "ntdll.dll",
+ "exception_code": "0xc0000374",
+ "offset": 845915,
+ "address": "0x777ce85b"
+ }
+ },
+ "time": 1613475153.04675,
+ "tid": 3548,
+ "flags": {}
+ },
+ {
+ "category": "process",
+ "status": 1,
+ "stacktrace": [],
+ "api": "NtCreateSection",
+ "return_value": 0,
+ "arguments": {
+ "section_handle": "0x00000168",
+ "object_handle": "0x00000000",
+ "desired_access": "0x000f0007",
+ "protection": 4,
+ "section_name": "",
+ "file_handle": "0x00000000"
+ },
+ "time": 1613475153.04675,
+ "tid": 3548,
+ "flags": {
+ "desired_access": "STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"
+ }
+ },
+ {
+ "category": "process",
+ "status": 1,
+ "stacktrace": [],
+ "api": "NtMapViewOfSection",
+ "return_value": 0,
+ "arguments": {
+ "section_handle": "0x00000168",
+ "process_identifier": 2852,
+ "commit_size": 0,
+ "win32_protect": 4,
+ "buffer": "",
+ "process_handle": "0xffffffff",
+ "allocation_type": 0,
+ "section_offset": 0,
+ "view_size": 4096,
+ "base_address": "0x01fd0000"
+ },
+ "time": 1613475153.04675,
+ "tid": 3548,
+ "flags": {
+ "win32_protect": "PAGE_READWRITE",
+ "allocation_type": ""
+ }
+ },
+ {
+ "category": "system",
+ "status": 1,
+ "stacktrace": [],
+ "api": "NtClose",
+ "return_value": 0,
+ "arguments": {
+ "handle": "0x0000016c"
+ },
+ "time": 1613475154.59375,
+ "tid": 3548,
+ "flags": {}
+ },
+ {
+ "category": "process",
+ "status": 1,
+ "stacktrace": [],
+ "api": "NtAllocateVirtualMemory",
+ "return_value": 0,
+ "arguments": {
+ "process_identifier": 2852,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0,
+ "heap_dep_bypass": 0,
+ "protection": 4,
+ "process_handle": "0xffffffff",
+ "allocation_type": 4096,
+ "base_address": "0x01fe0000"
+ },
+ "time": 1613475154.59375,
+ "tid": 3548,
+ "flags": {
+ "protection": "PAGE_READWRITE",
+ "allocation_type": "MEM_COMMIT"
+ }
+ },
+ {
+ "category": "process",
+ "status": 1,
+ "stacktrace": [],
+ "api": "NtFreeVirtualMemory",
+ "return_value": 0,
+ "arguments": {
+ "free_type": 32768,
+ "process_identifier": 2852,
+ "process_handle": "0xffffffff",
+ "base_address": "0x01fe0000",
+ "size": 4096
+ },
+ "time": 1613475154.62475,
+ "tid": 3548,
+ "flags": {}
+ },
+ {
+ "category": "system",
+ "status": 1,
+ "stacktrace": [],
+ "api": "NtClose",
+ "return_value": 0,
+ "arguments": {
+ "handle": "0x0000016c"
+ },
+ "time": 1613475154.62475,
+ "tid": 3548,
+ "flags": {}
+ },
+ {
+ "category": "process",
+ "status": 1,
+ "stacktrace": [],
+ "api": "NtUnmapViewOfSection",
+ "return_value": 0,
+ "arguments": {
+ "process_identifier": 2852,
+ "region_size": 4096,
+ "process_handle": "0xffffffff",
+ "base_address": "0x01fd0000"
+ },
+ "time": 1613475154.65675,
+ "tid": 3548,
+ "flags": {}
+ },
+ {
+ "category": "system",
+ "status": 1,
+ "stacktrace": [],
+ "api": "NtClose",
+ "return_value": 0,
+ "arguments": {
+ "handle": "0x00000168"
+ },
+ "time": 1613475154.65675,
+ "tid": 3548,
+ "flags": {}
+ },
+ {
+ "category": "system",
+ "status": 1,
+ "stacktrace": [],
+ "api": "NtClose",
+ "return_value": 0,
+ "arguments": {
+ "handle": "0x00000170"
+ },
+ "time": 1613475154.65675,
+ "tid": 3548,
+ "flags": {}
+ },
+ {
+ "category": "process",
+ "status": 0,
+ "stacktrace": [],
+ "last_error": 0,
+ "nt_status": -1073741054,
+ "api": "NtTerminateProcess",
+ "return_value": 0,
+ "arguments": {
+ "status_code": "0xc0000374",
+ "process_identifier": 2852,
+ "process_handle": "0xffffffff"
+ },
+ "time": 1613475155.31275,
+ "tid": 3548,
+ "flags": {}
+ }
+ ],
+ "track": true,
+ "pid": 2852,
+ "process_name": "OUTLOOK.EXE",
+ "command_line": "\"C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\OUTLOOK.EXE\" /f \"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\test.msg\"",
+ "modules": [
+ {
+ "basename": "OUTLOOK.EXE",
+ "imgsize": 30797824,
+ "baseaddr": "0x140000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\OUTLOOK.EXE"
+ },
+ {
+ "basename": "ntdll.dll",
+ "imgsize": 1572864,
+ "baseaddr": "0x77700000",
+ "filepath": "C:\\Windows\\SysWOW64\\ntdll.dll"
+ },
+ {
+ "basename": "kernel32.dll",
+ "imgsize": 1114112,
+ "baseaddr": "0x760f0000",
+ "filepath": "C:\\Windows\\syswow64\\kernel32.dll"
+ },
+ {
+ "basename": "KERNELBASE.dll",
+ "imgsize": 290816,
+ "baseaddr": "0x75a80000",
+ "filepath": "C:\\Windows\\syswow64\\KERNELBASE.dll"
+ },
+ {
+ "basename": "AppVIsvSubsystems32.dll",
+ "imgsize": 2007040,
+ "baseaddr": "0x72aa0000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\AppVIsvSubsystems32.dll"
+ },
+ {
+ "basename": "c2r32.dll",
+ "imgsize": 2039808,
+ "baseaddr": "0x71e00000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\c2r32.dll"
+ },
+ {
+ "basename": "OLEAUT32.dll",
+ "imgsize": 593920,
+ "baseaddr": "0x76450000",
+ "filepath": "C:\\Windows\\syswow64\\OLEAUT32.dll"
+ },
+ {
+ "basename": "ole32.dll",
+ "imgsize": 1429504,
+ "baseaddr": "0x75760000",
+ "filepath": "C:\\Windows\\syswow64\\ole32.dll"
+ },
+ {
+ "basename": "msvcrt.dll",
+ "imgsize": 704512,
+ "baseaddr": "0x77250000",
+ "filepath": "C:\\Windows\\syswow64\\msvcrt.dll"
+ },
+ {
+ "basename": "GDI32.dll",
+ "imgsize": 589824,
+ "baseaddr": "0x75db0000",
+ "filepath": "C:\\Windows\\syswow64\\GDI32.dll"
+ },
+ {
+ "basename": "USER32.dll",
+ "imgsize": 1048576,
+ "baseaddr": "0x752d0000",
+ "filepath": "C:\\Windows\\syswow64\\USER32.dll"
+ },
+ {
+ "basename": "ADVAPI32.dll",
+ "imgsize": 659456,
+ "baseaddr": "0x75cf0000",
+ "filepath": "C:\\Windows\\syswow64\\ADVAPI32.dll"
+ },
+ {
+ "basename": "sechost.dll",
+ "imgsize": 102400,
+ "baseaddr": "0x75720000",
+ "filepath": "C:\\Windows\\SysWOW64\\sechost.dll"
+ },
+ {
+ "basename": "RPCRT4.dll",
+ "imgsize": 983040,
+ "baseaddr": "0x751e0000",
+ "filepath": "C:\\Windows\\syswow64\\RPCRT4.dll"
+ },
+ {
+ "basename": "SspiCli.dll",
+ "imgsize": 393216,
+ "baseaddr": "0x74fa0000",
+ "filepath": "C:\\Windows\\syswow64\\SspiCli.dll"
+ },
+ {
+ "basename": "CRYPTBASE.dll",
+ "imgsize": 49152,
+ "baseaddr": "0x74f90000",
+ "filepath": "C:\\Windows\\syswow64\\CRYPTBASE.dll"
+ },
+ {
+ "basename": "LPK.dll",
+ "imgsize": 40960,
+ "baseaddr": "0x76410000",
+ "filepath": "C:\\Windows\\syswow64\\LPK.dll"
+ },
+ {
+ "basename": "USP10.dll",
+ "imgsize": 643072,
+ "baseaddr": "0x753d0000",
+ "filepath": "C:\\Windows\\syswow64\\USP10.dll"
+ },
+ {
+ "basename": "SHELL32.dll",
+ "imgsize": 12894208,
+ "baseaddr": "0x76550000",
+ "filepath": "C:\\Windows\\syswow64\\SHELL32.dll"
+ },
+ {
+ "basename": "SHLWAPI.dll",
+ "imgsize": 356352,
+ "baseaddr": "0x764f0000",
+ "filepath": "C:\\Windows\\syswow64\\SHLWAPI.dll"
+ },
+ {
+ "basename": "USERENV.dll",
+ "imgsize": 94208,
+ "baseaddr": "0x76420000",
+ "filepath": "C:\\Windows\\syswow64\\USERENV.dll"
+ },
+ {
+ "basename": "profapi.dll",
+ "imgsize": 45056,
+ "baseaddr": "0x75a70000",
+ "filepath": "C:\\Windows\\syswow64\\profapi.dll"
+ },
+ {
+ "basename": "NETAPI32.dll",
+ "imgsize": 69632,
+ "baseaddr": "0x72e40000",
+ "filepath": "C:\\Windows\\system32\\NETAPI32.dll"
+ },
+ {
+ "basename": "netutils.dll",
+ "imgsize": 36864,
+ "baseaddr": "0x73950000",
+ "filepath": "C:\\Windows\\system32\\netutils.dll"
+ },
+ {
+ "basename": "srvcli.dll",
+ "imgsize": 102400,
+ "baseaddr": "0x72de0000",
+ "filepath": "C:\\Windows\\system32\\srvcli.dll"
+ },
+ {
+ "basename": "wkscli.dll",
+ "imgsize": 61440,
+ "baseaddr": "0x730c0000",
+ "filepath": "C:\\Windows\\system32\\wkscli.dll"
+ },
+ {
+ "basename": "wevtapi.dll",
+ "imgsize": 270336,
+ "baseaddr": "0x72eb0000",
+ "filepath": "C:\\Windows\\system32\\wevtapi.dll"
+ },
+ {
+ "basename": "OutlookServicing.dll",
+ "imgsize": 118784,
+ "baseaddr": "0x72e90000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\OutlookServicing.dll"
+ },
+ {
+ "basename": "VCRUNTIME140.dll",
+ "imgsize": 77824,
+ "baseaddr": "0x72e70000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\VCRUNTIME140.dll"
+ },
+ {
+ "basename": "api-ms-win-crt-runtime-l1-1-0.dll",
+ "imgsize": 16384,
+ "baseaddr": "0x72e60000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-runtime-l1-1-0.dll"
+ },
+ {
+ "basename": "ucrtbase.DLL",
+ "imgsize": 901120,
+ "baseaddr": "0x6e3c0000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\ucrtbase.DLL"
+ },
+ {
+ "basename": "api-ms-win-core-timezone-l1-1-0.dll",
+ "imgsize": 12288,
+ "baseaddr": "0x738e0000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-core-timezone-l1-1-0.dll"
+ },
+ {
+ "basename": "api-ms-win-core-file-l2-1-0.dll",
+ "imgsize": 12288,
+ "baseaddr": "0x72e30000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-core-file-l2-1-0.dll"
+ },
+ {
+ "basename": "api-ms-win-core-localization-l1-2-0.dll",
+ "imgsize": 12288,
+ "baseaddr": "0x72cd0000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-core-localization-l1-2-0.dll"
+ },
+ {
+ "basename": "api-ms-win-core-synch-l1-2-0.dll",
+ "imgsize": 12288,
+ "baseaddr": "0x72cc0000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-core-synch-l1-2-0.dll"
+ },
+ {
+ "basename": "api-ms-win-core-processthreads-l1-1-1.dll",
+ "imgsize": 12288,
+ "baseaddr": "0x72cb0000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-core-processthreads-l1-1-1.dll"
+ },
+ {
+ "basename": "api-ms-win-core-file-l1-2-0.dll",
+ "imgsize": 12288,
+ "baseaddr": "0x72ca0000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-core-file-l1-2-0.dll"
+ },
+ {
+ "basename": "api-ms-win-crt-heap-l1-1-0.dll",
+ "imgsize": 12288,
+ "baseaddr": "0x72a90000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-heap-l1-1-0.dll"
+ },
+ {
+ "basename": "api-ms-win-crt-string-l1-1-0.dll",
+ "imgsize": 16384,
+ "baseaddr": "0x72a80000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-string-l1-1-0.dll"
+ },
+ {
+ "basename": "api-ms-win-crt-stdio-l1-1-0.dll",
+ "imgsize": 16384,
+ "baseaddr": "0x72a70000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-stdio-l1-1-0.dll"
+ },
+ {
+ "basename": "api-ms-win-crt-convert-l1-1-0.dll",
+ "imgsize": 16384,
+ "baseaddr": "0x72a60000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-convert-l1-1-0.dll"
+ },
+ {
+ "basename": "MSVCP140.dll",
+ "imgsize": 454656,
+ "baseaddr": "0x729f0000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\MSVCP140.dll"
+ },
+ {
+ "basename": "api-ms-win-crt-locale-l1-1-0.dll",
+ "imgsize": 12288,
+ "baseaddr": "0x729e0000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-locale-l1-1-0.dll"
+ },
+ {
+ "basename": "api-ms-win-crt-math-l1-1-0.dll",
+ "imgsize": 20480,
+ "baseaddr": "0x729d0000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-math-l1-1-0.dll"
+ },
+ {
+ "basename": "api-ms-win-crt-filesystem-l1-1-0.dll",
+ "imgsize": 12288,
+ "baseaddr": "0x72860000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-filesystem-l1-1-0.dll"
+ },
+ {
+ "basename": "api-ms-win-crt-time-l1-1-0.dll",
+ "imgsize": 12288,
+ "baseaddr": "0x72850000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-time-l1-1-0.dll"
+ },
+ {
+ "basename": "api-ms-win-crt-environment-l1-1-0.dll",
+ "imgsize": 12288,
+ "baseaddr": "0x72840000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-environment-l1-1-0.dll"
+ },
+ {
+ "basename": "api-ms-win-crt-utility-l1-1-0.dll",
+ "imgsize": 12288,
+ "baseaddr": "0x72830000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-utility-l1-1-0.dll"
+ },
+ {
+ "basename": "IPHLPAPI.DLL",
+ "imgsize": 114688,
+ "baseaddr": "0x728d0000",
+ "filepath": "C:\\Windows\\system32\\IPHLPAPI.DLL"
+ },
+ {
+ "basename": "NSI.dll",
+ "imgsize": 24576,
+ "baseaddr": "0x75470000",
+ "filepath": "C:\\Windows\\syswow64\\NSI.dll"
+ },
+ {
+ "basename": "WINNSI.DLL",
+ "imgsize": 28672,
+ "baseaddr": "0x72c90000",
+ "filepath": "C:\\Windows\\system32\\WINNSI.DLL"
+ },
+ {
+ "basename": "api-ms-win-crt-multibyte-l1-1-0.dll",
+ "imgsize": 20480,
+ "baseaddr": "0x72820000",
+ "filepath": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\api-ms-win-crt-multibyte-l1-1-0.dll"
+ },
+ {
+ "basename": "gdiplus.dll",
+ "imgsize": 1642496,
+ "baseaddr": "0x73330000",
+ "filepath": "C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_5c0be957a009922e\\gdiplus.dll"
+ },
+ {
+ "basename": "RstrtMgr.DLL",
+ "imgsize": 163840,
+ "baseaddr": "0x728a0000",
+ "filepath": "C:\\Windows\\system32\\RstrtMgr.DLL"
+ },
+ {
+ "basename": "ncrypt.dll",
+ "imgsize": 233472,
+ "baseaddr": "0x71d90000",
+ "filepath": "C:\\Windows\\system32\\ncrypt.dll"
+ },
+ {
+ "basename": "bcrypt.dll",
+ "imgsize": 94208,
+ "baseaddr": "0x730a0000",
+ "filepath": "C:\\Windows\\system32\\bcrypt.dll"
+ },
+ {
+ "basename": "MSASN1.dll",
+ "imgsize": 49152,
+ "baseaddr": "0x771e0000",
+ "filepath": "C:\\Windows\\syswow64\\MSASN1.dll"
+ },
+ {
+ "basename": "IMM32.DLL",
+ "imgsize": 393216,
+ "baseaddr": "0x75c90000",
+ "filepath": "C:\\Windows\\system32\\IMM32.DLL"
+ },
+ {
+ "basename": "MSCTF.dll",
+ "imgsize": 839680,
+ "baseaddr": "0x759a0000",
+ "filepath": "C:\\Windows\\syswow64\\MSCTF.dll"
+ },
+ {
+ "basename": "monitor-x86.dll",
+ "imgsize": 2117632,
+ "baseaddr": "0x6e4a0000",
+ "filepath": "C:\\tmped72ov\\bin\\monitor-x86.dll"
+ }
+ ],
+ "time": 0,
+ "tid": 3548,
+ "first_seen": 1613475152.96875,
+ "ppid": 2916,
+ "type": "process"
+ }
+ ],
+ "processtree": [
+ {
+ "track": false,
+ "pid": 504,
+ "process_name": "lsass.exe",
+ "command_line": "C:\\Windows\\system32\\lsass.exe",
+ "first_seen": 1613475151.515625,
+ "ppid": 396,
+ "children": []
+ },
+ {
+ "track": true,
+ "pid": 2916,
+ "process_name": "cmd.exe",
+ "command_line": "\"C:\\Windows\\System32\\cmd.exe\" /c start /wait \"EOQNXBK\" C:\\Users\\mes-vms\\AppData\\Local\\Temp\\test.msg",
+ "first_seen": 1613475151.765625,
+ "ppid": 3848,
+ "children": [
+ {
+ "track": true,
+ "pid": 2852,
+ "process_name": "OUTLOOK.EXE",
+ "command_line": "\"C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\OUTLOOK.EXE\" /f \"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\test.msg\"",
+ "first_seen": 1613475152.96875,
+ "ppid": 2916,
+ "children": []
+ }
+ ]
+ }
+ ]
+ },
+ "debug": {
+ "action": [
+ "gatherer"
+ ],
+ "dbgview": [],
+ "errors": [
+ "Unable to stop auxiliary module: Sniffer\nTraceback (most recent call last):\n File \"/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py\", line 164, in stop\n module.stop()\n File \"/usr/local/lib/python2.7/dist-packages/cuckoo/auxiliary/sniffer.py\", line 156, in stop\n (out, err, faq(\"permission-denied-for-tcpdump\"))\nCuckooOperationalError: Error running tcpdump to sniff the network traffic during the analysis; stdout = '' and stderr = 'tcpdump: vboxnet0: That device is not up\\n'. Did you enable the extra capabilities to allow running tcpdump as non-root user and disable AppArmor properly (the latter only applies to Ubuntu-based distributions with AppArmor, see also https://cuckoo.sh/docs/faq/index.html#permission-denied-for-tcpdump)?"
+ ],
+ "log": [
+ "2021-02-16 11:32:31,000 [analyzer] DEBUG: Starting analyzer from: C:\\tmped72ov\n",
+ "2021-02-16 11:32:31,015 [analyzer] DEBUG: Pipe server name: \\??\\PIPE\\wgvEwrMJxeaYcOVZaoGwrbURjTFYhv\n",
+ "2021-02-16 11:32:31,015 [analyzer] DEBUG: Log pipe server name: \\??\\PIPE\\oPNYCSiawcQxbkzJiNOybODszVH\n",
+ "2021-02-16 11:32:31,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.\n",
+ "2021-02-16 11:32:31,015 [analyzer] INFO: Automatically selected analysis package \"generic\"\n",
+ "2021-02-16 11:32:31,217 [analyzer] DEBUG: Started auxiliary module DbgView\n",
+ "2021-02-16 11:32:31,421 [analyzer] DEBUG: Started auxiliary module Disguise\n",
+ "2021-02-16 11:32:31,578 [analyzer] DEBUG: Loaded monitor into process with pid 504\n",
+ "2021-02-16 11:32:31,592 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets\n",
+ "2021-02-16 11:32:31,592 [analyzer] DEBUG: Started auxiliary module Human\n",
+ "2021-02-16 11:32:31,592 [analyzer] DEBUG: Started auxiliary module InstallCertificate\n",
+ "2021-02-16 11:32:31,592 [analyzer] DEBUG: Started auxiliary module Reboot\n",
+ "2021-02-16 11:32:31,625 [analyzer] DEBUG: Started auxiliary module RecentFiles\n",
+ "2021-02-16 11:32:31,625 [analyzer] DEBUG: Started auxiliary module Screenshots\n",
+ "2021-02-16 11:32:31,625 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n\n",
+ "2021-02-16 11:32:31,671 [lib.api.process] INFO: Successfully executed process from path 'C:\\\\Windows\\\\System32\\\\cmd.exe' with arguments ['/c', 'start', '/wait', '\"EOQNXBK\"', u'C:\\\\Users\\\\mes-vms\\\\AppData\\\\Local\\\\Temp\\\\test.msg'] and pid 2916\n",
+ "2021-02-16 11:32:31,858 [analyzer] DEBUG: Loaded monitor into process with pid 2916\n",
+ "2021-02-16 11:32:32,171 [analyzer] INFO: Injected into process with pid 2852 and name u'\\uc7d0\\u026c'\n",
+ "2021-02-16 11:32:32,842 [lib.api.process] INFO: Memory dump of process with pid 2852 completed\n",
+ "2021-02-16 11:32:33,046 [analyzer] DEBUG: Loaded monitor into process with pid 2852\n",
+ "2021-02-16 11:32:35,312 [lib.api.process] INFO: Memory dump of process with pid 2852 completed\n",
+ "2021-02-16 11:32:35,328 [lib.api.process] WARNING: The process with pid 2916 is not alive, memory dump aborted\n",
+ "2021-02-16 11:32:35,687 [analyzer] INFO: Process with pid 2916 has terminated\n",
+ "2021-02-16 11:32:36,687 [analyzer] INFO: Process with pid 2852 has terminated\n",
+ "2021-02-16 11:32:36,687 [analyzer] INFO: Process list is empty, terminating analysis.\n",
+ "2021-02-16 11:32:37,687 [analyzer] INFO: Analysis completed.\n"
+ ],
+ "cuckoo": [
+ "2021-02-16 11:32:31,540 [cuckoo.core.scheduler] INFO: Task #5: acquired machine cuckoo1 (label=win7cuckoo)\n",
+ "2021-02-16 11:32:31,540 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.56.101 for task #5\n",
+ "2021-02-16 11:32:31,541 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Replay\n",
+ "2021-02-16 11:32:31,551 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 19829 (interface=vboxnet0, host=192.168.56.101)\n",
+ "2021-02-16 11:32:31,552 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer\n",
+ "2021-02-16 11:32:31,569 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7cuckoo\n",
+ "2021-02-16 11:32:31,683 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7cuckoo to cuckoo-ready6\n",
+ "2021-02-16 11:32:38,530 [cuckoo.core.guest] INFO: Starting analysis #5 on guest (id=cuckoo1, ip=192.168.56.101)\n",
+ "2021-02-16 11:32:39,540 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n",
+ "2021-02-16 11:32:40,543 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n",
+ "2021-02-16 11:32:41,546 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n",
+ "2021-02-16 11:32:41,612 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n",
+ "2021-02-16 11:32:42,625 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=cuckoo1, ip=192.168.56.101)\n",
+ "2021-02-16 11:32:42,657 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.101, monitor=latest, size=3894261)\n",
+ "2021-02-16 11:32:42,985 [cuckoo.core.resultserver] DEBUG: Task #5: live log analysis.log initialized.\n",
+ "2021-02-16 11:32:43,500 [cuckoo.core.resultserver] DEBUG: Task #5 is sending a BSON stream\n",
+ "2021-02-16 11:32:43,750 [cuckoo.core.resultserver] DEBUG: Task #5 is sending a BSON stream\n",
+ "2021-02-16 11:32:44,759 [cuckoo.core.resultserver] DEBUG: Task #5: File upload for 'memory/2852-1.dmp'\n",
+ "2021-02-16 11:32:44,759 [cuckoo.core.resultserver] DEBUG: Task #5: File upload for 'shots/0001.jpg'\n",
+ "2021-02-16 11:32:44,762 [cuckoo.core.resultserver] DEBUG: Task #5 uploaded file length: 60906\n",
+ "2021-02-16 11:32:44,835 [cuckoo.core.resultserver] DEBUG: Task #5 uploaded file length: 34079512\n",
+ "2021-02-16 11:32:44,952 [cuckoo.core.resultserver] DEBUG: Task #5 is sending a BSON stream\n",
+ "2021-02-16 11:32:45,867 [cuckoo.core.resultserver] DEBUG: Task #5: File upload for 'shots/0002.jpg'\n",
+ "2021-02-16 11:32:45,871 [cuckoo.core.resultserver] DEBUG: Task #5 uploaded file length: 60609\n",
+ "2021-02-16 11:32:47,139 [cuckoo.core.resultserver] DEBUG: Task #5: File upload for 'memory/2852-2.dmp'\n",
+ "2021-02-16 11:32:47,289 [cuckoo.core.resultserver] DEBUG: Task #5 uploaded file length: 78095000\n",
+ "2021-02-16 11:32:47,885 [cuckoo.core.guest] DEBUG: cuckoo1: analysis #5 still processing\n",
+ "2021-02-16 11:32:48,004 [cuckoo.core.resultserver] DEBUG: Task #5: File upload for 'shots/0003.jpg'\n",
+ "2021-02-16 11:32:48,006 [cuckoo.core.resultserver] DEBUG: Task #5 uploaded file length: 50920\n",
+ "2021-02-16 11:32:49,902 [cuckoo.core.guest] INFO: cuckoo1: analysis completed successfully\n",
+ "2021-02-16 11:32:49,909 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Replay\n",
+ "2021-02-16 11:32:49,910 [cuckoo.core.plugins] ERROR: Unable to stop auxiliary module: Sniffer\n",
+ "Traceback (most recent call last):\n",
+ " File \"/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py\", line 164, in stop\n",
+ " module.stop()\n",
+ " File \"/usr/local/lib/python2.7/dist-packages/cuckoo/auxiliary/sniffer.py\", line 156, in stop\n",
+ " (out, err, faq(\"permission-denied-for-tcpdump\"))\n",
+ "CuckooOperationalError: Error running tcpdump to sniff the network traffic during the analysis; stdout = '' and stderr = 'tcpdump: vboxnet0: That device is not up\\n'. Did you enable the extra capabilities to allow running tcpdump as non-root user and disable AppArmor properly (the latter only applies to Ubuntu-based distributions with AppArmor, see also https://cuckoo.sh/docs/faq/index.html#permission-denied-for-tcpdump)?\n",
+ "2021-02-16 11:32:52,148 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7cuckoo to path /home/jean/.cuckoo/storage/analyses/5/memory.dmp\n",
+ "2021-02-16 11:32:52,152 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7cuckoo\n",
+ "202"
+ ]
+ },
+ "screenshots": [
+ {
+ "path": "/home/jean/.cuckoo/storage/analyses/5/shots/0001.jpg",
+ "ocr": ""
+ },
+ {
+ "path": "/home/jean/.cuckoo/storage/analyses/5/shots/0002.jpg",
+ "ocr": ""
+ },
+ {
+ "path": "/home/jean/.cuckoo/storage/analyses/5/shots/0003.jpg",
+ "ocr": ""
+ }
+ ],
+ "strings": [
+ "test00292@outlook.fr",
+ "LZFuiq",
+ "rcpg125",
+ "Chtml1",
+ "64\u001fz!G",
+ "tps://",
+ "google.",
+ "st{HYPE",
+ "RLINK %",
+ "9_?:o;",
+ "https://google.fr",
+ "multipart/alternative; boundary=\"000000000000f3441005b82466dd\"; charset=\"utf-8\"",
+ "00000003",
+ "test00292@o",
+ "test00292@outlook.fr",
+ "00000003",
+ "test00292@o",
+ "test00292@outlook.fr",
+ "test00292@outlook.fr",
+ "<CAAwK9ifo8=nSuBv_GEJoAZiWyqkFSE-0Snr8ohQa2r_18Yn=WQ@mail.gmail.com>",
+ "jeanjestin@gmail.com",
+ "SMTP:JEANJESTIN@GMAIL.COM",
+ "jean jestin",
+ "test00292@outlook.fr",
+ "test00292@outlook.fr",
+ "Received: from AM7EUR06HT038.eop-eur06.prod.protection.outlook.com",
+ " (2603:10a6:208:17c::12) by AM0PR04MB5777.eurprd04.prod.outlook.com with HTTPS",
+ " via AM0PR10CA0002.EURPRD10.PROD.OUTLOOK.COM; Tue, 5 Jan 2021 10:09:30 +0000",
+ "Received: from AM7EUR06FT042.eop-eur06.prod.protection.outlook.com",
+ " (2a01:111:e400:fc36::45) by",
+ " AM7EUR06HT038.eop-eur06.prod.protection.outlook.com (2a01:111:e400:fc36::335)",
+ " with Microsoft SMTP Server (version=TLS1_2,",
+ " cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3721.20; Tue, 5 Jan",
+ " 2021 10:09:30 +0000",
+ "Authentication-Results: spf=pass (sender IP is 209.85.161.54)",
+ " smtp.mailfrom=gmail.com; outlook.fr; dkim=pass (signature was verified)",
+ " header.d=gmail.com;outlook.fr; dmarc=pass action=none",
+ " header.from=gmail.com;compauth=pass reason=100",
+ "Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates",
+ " 209.85.161.54 as permitted sender) receiver=protection.outlook.com;",
+ " client-ip=209.85.161.54; helo=mail-oo1-f54.google.com;",
+ "Received: from mail-oo1-f54.google.com (209.85.161.54) by",
+ " AM7EUR06FT042.mail.protection.outlook.com (10.233.255.77) with Microsoft SMTP",
+ " Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id",
+ " 15.20.3721.20 via Frontend Transport; Tue, 5 Jan 2021 10:09:30 +0000",
+ "X-IncomingTopHeaderMarker:",
+ " OriginalChecksum:9E1B40C9E576E27DF70DA26D3F677E8CAEFBBE011CAF4BCDEBB9DF5109053767;UpperCasedChecksum:698A730C8DBC01D9C2C903FEAC863B9005C80700FE95F2E57BD1F84F80AECC23;SizeAsReceived:2069;Count:13",
+ "Received: by mail-oo1-f54.google.com with SMTP id i18so6949389ooh.5",
+ " for <test00292@outlook.fr>; Tue, 05 Jan 2021 02:09:30 -0800 (PST)",
+ "DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;",
+ " d=gmail.com; s=20161025;",
+ " h=mime-version:from:date:message-id:subject:to;",
+ " bh=egi3rmVw1Zt8Q9h8gOFwTYvN/MWXhtmBJUUCE8JMZa4=;",
+ " b=lboKHEIiNRkdgCabcrBlvrb8A1d+C78bQsJF6vlopRFyOLhRM/2A90gA5gWvIBrcBR",
+ " rc+PkV+NBtQ+RBBg5xgXv/z83/I3TWSdNGKEUL3bKbaHYFb1PiVVtN3u5T1jrijRzYUR",
+ " mOZw3kGdsN9PRoYOfg7K2sNOUROuT9tVXti05I3Hh7ulylIisBNCOPDl0QlkTKdd+VIf",
+ " C9jSI03RvT9Dt0E23RXyx6iIqVROtmjcOwEHVI3XkEG4PrBansSH6lRMezv4SFfNGem8",
+ " TLrt1WFjpKoHM1F3FuGFGoZLycmJlNLWp/t5ZPhSTjTCfvIXvmAegaqj02lh6VOXkgiC",
+ " xwHA==",
+ "X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;",
+ " d=1e100.net; s=20161025;",
+ " h=x-gm-message-state:mime-version:from:date:message-id:subject:to;",
+ " bh=egi3rmVw1Zt8Q9h8gOFwTYvN/MWXhtmBJUUCE8JMZa4=;",
+ " b=uNiQpiRze+g8kikQtu2qTFswyA3cAFTJ8nIySjbGGeQ3meYmF5NFddXcagQZjCuVny",
+ " RBFC0+JsQYm11Yxu1QZNfMwsBuua1eTRSK6ZRmuUS3zlDWu8QcWkM+aoJ8yLkd09r1gb",
+ " TZkPC94xZf3Y/H0i+ttr6zTN6MZ2BH7EDMsHjI4NzGnQl+LYi20VjJBBBuhjl5ng9uYI",
+ " t/tVVSZGYsTc3XYerLcNQ+AUQuJVufKiWPiim3jCnat53t+shD+oJRnI6aoNaHf1bvyf",
+ " p8Vq4Y0OPuX3fAK0ESarA692TWH81S6k4WdJMIaxSShdEcNvBGxnEECZzsAE37aYJunB",
+ " eqpg==",
+ "X-Gm-Message-State: AOAM5329qrWQ4MER5zxkoFGqtYPFHLqE/9g0kI01nXhwb/sPxEY14wJk",
+ "cZLV1FZEG8meRWVOoksuLuyrvHQVn9f3l12z4Kpe78OYgyk=",
+ "X-Google-Smtp-Source: ABdhPJxFLfLAnPfiVmGsjJGH4Dbt9Y3IUMcLD+lSu7sD9J0SNTHpjMg20MRxRrRZ1FTsb5Jz7Q74obF+nEUahFIfCU8=",
+ "X-Received: by 2002:a4a:2256:: with SMTP id z22mr52115990ooe.62.1609841369104;",
+ " Tue, 05 Jan 2021 02:09:29 -0800 (PST)",
+ "From: jean jestin <jeanjestin@gmail.com>",
+ "Date: Tue, 5 Jan 2021 10:09:18 +0100",
+ "Message-ID: <CAAwK9ifo8=nSuBv_GEJoAZiWyqkFSE-0Snr8ohQa2r_18Yn=WQ@mail.gmail.com>",
+ "Subject: test",
+ "To: test00292@outlook.fr",
+ "Content-Type: multipart/alternative; boundary=\"000000000000f3441005b82466dd\"",
+ "X-IncomingHeaderCount: 13",
+ "Return-Path: jeanjestin@gmail.com",
+ "X-MS-Exchange-Organization-ExpirationStartTime: 05 Jan 2021 10:09:30.2559",
+ " (UTC)",
+ "X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit",
+ "X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000",
+ "X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit",
+ "X-MS-Exchange-Organization-Network-Message-Id:",
+ " bd61560a-2c0c-4855-b77c-08d8b161fde5",
+ "X-EOPAttributedMessage: 0",
+ "X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0",
+ "X-MS-Exchange-Organization-MessageDirectionality: Incoming",
+ "X-MS-PublicTrafficType: Email",
+ "X-MS-Exchange-Organization-AuthSource:",
+ " AM7EUR06FT042.eop-eur06.prod.protection.outlook.com",
+ "X-MS-Exchange-Organization-AuthAs: Anonymous",
+ "X-MS-UserLastLogonTime: 1/5/2021 10:09:24 AM",
+ "X-MS-Office365-Filtering-Correlation-Id: bd61560a-2c0c-4855-b77c-08d8b161fde5",
+ "X-MS-TrafficTypeDiagnostic: AM7EUR06HT038:",
+ "X-MS-Exchange-EOPDirect: true",
+ "X-Sender-IP: 209.85.161.54",
+ "X-SID-PRA: JEANJESTIN@GMAIL.COM",
+ "X-SID-Result: PASS",
+ "X-MS-Exchange-Organization-PCL: 2",
+ "X-MS-Exchange-Organization-SCL: 0",
+ "X-Microsoft-Antispam: BCL:0;",
+ "X-OriginatorOrg: outlook.com",
+ "X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2021 10:09:30.2379",
+ " (UTC)",
+ "X-MS-Exchange-CrossTenant-Network-Message-Id: bd61560a-2c0c-4855-b77c-08d8b161fde5",
+ "X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa",
+ "X-MS-Exchange-CrossTenant-AuthSource:",
+ " AM7EUR06FT042.eop-eur06.prod.protection.outlook.com",
+ "X-MS-Exchange-CrossTenant-AuthAs: Anonymous",
+ "X-MS-Exchange-CrossTenant-FromEntityHeader: Internet",
+ "X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:",
+ " 00000000-0000-0000-0000-000000000000",
+ "X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7EUR06HT038",
+ "X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.2839927",
+ "X-MS-Exchange-Processed-By-BccFoldering: 15.20.3721.024",
+ "X-Microsoft-Antispam-Mailbox-Delivery:",
+ "abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:I;ENG:(5062000282)(90000117)(90005022)(91005020)(90014020)(91030020)(91040095)(9000001)(9010001)(9050020)(9100272)(5061607266)(5061608174)(4900115)(98392012)(98393011)(4920090)(6515079)(4950131)(4990090);",
+ "X-Message-Info:",
+ "5vMbyqxGkderUG8NjABdPpLes3RkFKWntvpQA06tGLDJgwMWwy6H7rVZv7BCPUJ6SUbPjWEDDC74wrSoCHA+DurUy+k91nquYb7aP9KA6oCNxZtpL2GHobDBswqic8/mhD0sh4+Ee9Rpt/BAZMXj3O0bfFYNWBMjcE3Cz8i1SK2ENfsr4mws+ew16kqJp/DZ8G7VdyD/m62FrCGJlKisBQ==",
+ "X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0z",
+ "X-Microsoft-Antispam-Message-Info:",
+ "=?utf-8?B?dHBYNGN4UHp4RGxnSWVoWk0xakRmcnlvTi93YitKRTVDbW5JbFJLNjFuODZs?=",
+ " =?utf-8?B?U09lN0h1UUgyWWZZR2dzSzRDRndKSDJUZTZ3UmRLNHNCK3pUTGJDYnRpM2hp?=",
+ " =?utf-8?B?TGoxNzdEWng4dGFBVlFKcy9qRDFNM0xpU2diVHRqd1VkWFc3Tlh6dzliVkFK?=",
+ " =?utf-8?B?ZHd1a3RyZGNLTW9hdFBPdjBxYkdtNlJSSGtaM0RhZXJKOTZwSjFFV3dJbnZy?=",
+ " =?utf-8?B?U0M1elhweEp3V3lkU2JnSDU2Y2hMa20zN1JXWldSSXpBWUZBVms5dmFZd1ZJ?=",
+ " =?utf-8?B?VXVRdFVZR3JIMDR1TEFNU2NYS1I5ZjA3Nk44QXE3dnVUVFhjNkV0NGRpcEN5?=",
+ " =?utf-8?B?YVhOb1U3bG55UEkxQ2s2bnpOOUR4NnQyaVdtbGRlNitFbHNlb2xUcnl4UmtW?=",
+ " =?utf-8?B?ODAxdU5JcmxFOEltK1p0bjNTSUlWVmh4eXdYaVc1b3V3MDVBTmMvcjJKaWpq?=",
+ " =?utf-8?B?NGc0bjFKdjZWcFA1UWhLVy9xRTRyZjdaSzZsaVZMNXBRZHFkUnlUcmY0MXlE?=",
+ " =?utf-8?B?Rlc5T3hDcDFZL1FlUUcwU0I3ZlZMNjMxUE01d2s3ekdKYXptWmdneUJGL2dx?=",
+ " =?utf-8?B?bkxHL24xN1lBUVdJUnNKbytvSm5hNjRwM0dpL0FGOU5jcU5tR3ZJQ1BuSEtQ?=",
+ " =?utf-8?B?NG5uZGVrWkdxelRucG1USTVQTUx5K05CZUcrMzdMUFdyajRycVVsUlEvY3Nk?=",
+ " =?utf-8?B?YS81c0llWmEzNjIzM1B5cVFFQnNGSVBQSm9tTjJYUGQzTmIxUjVMZFJsTmYz?=",
+ " =?utf-8?B?MUMvMWNLR1NmelpsRkprajY0d29ZNEVKeVdxYy9LODROL1VQVWhsMk5oUUJL?=",
+ " =?utf-8?B?cUJzQnNyQ0l6VjRaYWFxN21zb3o1NlY1YzFlZitYVzBNOU5vYjhTWDd4NWJX?=",
+ " =?utf-8?B?ZFVCNkRGbm1Bek5XWDN2RGVGNEtZN3pKdVhKb3YrS3ExaEE1YWw2V3M0bEkx?=",
+ " =?utf-8?B?eG4vN1RlUzRJYjFxNDJKSTIwRnhzTjkwVGpzeXEvNjFYVUsvTjNpZ1AvL2Fv?=",
+ " =?utf-8?B?dHJEanJWSUdETW9OcW1aVkJMVlg3d29WOU9MdDhCQ0xUbTZ4WlhRcGlHMUt3?=",
+ " =?utf-8?B?WnJ2TFd0bkZVL3JFT1B4N3cxcGJDK1dhZjNKcy9WRk40NHArZTZ0UjdHZGVU?=",
+ " =?utf-8?B?YjUxSVJXMjl6WENGSzVqUGlnRW5UN3pXL05rR0lnOG1haTJyZ3lTcHR5U1dl?=",
+ " =?utf-8?B?V0hpWTVnQXNkRmlmY2ZhV2F5c0liK2JVRCtiakMxaElHYlN6ckt0VG5qNURi?=",
+ " =?utf-8?B?dWRCMWdnM1NxM1NGQTNvRytLQndUS2NpRDkzTW1pVGJNL251eW5iQy8wc1dh?=",
+ " =?utf-8?Q?eENjgXOBwZXfOXmScXsRC4Vv9NuCg+0Ws+?=",
+ "MIME-Version: 1.0",
+ "jeanjestin@gmail.com",
+ "SMTP:TEST00292@OUTLOOK.FR",
+ "SMTP:TEST00292@OUTLOOK.FR",
+ "test00292@outlook.fr",
+ "jean jestin",
+ "test00292@outlook.fr",
+ "SMTP:JEANJESTIN@GMAIL.COM",
+ "IPM.Note",
+ "SMTP:TEST00292@OUTLOOK.FR",
+ "test00292@outlook.fr",
+ "test00292@outlook.fr",
+ "Root Entry",
+ "__properties_version1.0",
+ "__nameid_version1.0",
+ "__substg1.0_0E04001E",
+ "Root Entry",
+ "__properties_version1.0",
+ "__nameid_version1.0",
+ "__substg1.0_0E04001E",
+ "__substg1.0_0E03001E",
+ "__substg1.0_0E02001E",
+ "__recip_version1.0_#00000000",
+ "__substg1.0_001A001E",
+ "__substg1.0_0037001E",
+ "__substg1.0_003B0102",
+ "__substg1.0_003F0102",
+ "__substg1.0_0040001E",
+ "__substg1.0_00410102",
+ "__substg1.0_0042001E",
+ "__substg1.0_00430102",
+ "__substg1.0_0044001E",
+ "__substg1.0_00510102",
+ "__substg1.0_00520102",
+ "__substg1.0_0064001E",
+ "__substg1.0_0065001E",
+ "__substg1.0_0070001E",
+ "__substg1.0_00710102",
+ "__substg1.0_0075001E",
+ "__substg1.0_0076001E",
+ "__substg1.0_0077001E",
+ "__substg1.0_0078001E",
+ "__substg1.0_007D001E",
+ "__substg1.0_0C190102",
+ "__substg1.0_0C1A001E",
+ "__substg1.0_0C1D0102",
+ "__substg1.0_0C1E001E",
+ "__substg1.0_0C1F001E",
+ "__substg1.0_1035001E",
+ "__substg1.0_300B0102",
+ "__substg1.0_3FFA001E",
+ "__substg1.0_680D001E",
+ "__substg1.0_680E001E",
+ "__substg1.0_8000001E",
+ "__substg1.0_8001001E",
+ "__substg1.0_8003001E",
+ "__substg1.0_80040102",
+ "__substg1.0_003D001E",
+ "__substg1.0_1000001E",
+ "__substg1.0_10090102",
+ "__substg1.0_65E20102",
+ "__substg1.0_65E30102",
+ "__substg1.0_0E1D001E",
+ "__properties_version1.0",
+ "jean jestin",
+ "jeanjestin@gmail.com",
+ "test00292@outlook.fr",
+ "test00292@outlook.fr",
+ "jean jestin",
+ "jeanjestin@gmail.com",
+ "test00292@outlook.fr",
+ "test00292@outlook.fr",
+ "__substg1.0_0FFF0102",
+ "__substg1.0_3001001E",
+ "__substg1.0_3002001E",
+ "__substg1.0_3003001E",
+ "__substg1.0_300B0102",
+ "__substg1.0_0FF60102",
+ "__substg1.0_00020102",
+ "__substg1.0_00030102",
+ "__substg1.0_00040102",
+ "__substg1.0_10140102",
+ "__substg1.0_10150102",
+ "__substg1.0_10020102",
+ "__substg1.0_10090102",
+ "__substg1.0_10060102",
+ "test00292@outlook.fr",
+ "test00292@outlook.fr",
+ "content-type4",
+ "InTransitMessageCorrelator"
+ ],
+ "metadata": {
+ "output": {
+ "memdumps": [
+ {
+ "basename": "2852-1.dmp",
+ "sha256": "bfa55c3b937932d1b161d73e88926fa4862958fac3a850d62e014494bedc7dfb",
+ "dirname": "memory"
+ },
+ {
+ "basename": "2852-2.dmp",
+ "sha256": "6621b5efe4316eeef39e343eb58b5305b30e99b3b8ef11d59f3ec88c4c89e456",
+ "dirname": "memory"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/struct.go b/struct.go
index 7a0abd1..2edcb22 100644
--- a/struct.go
+++ b/struct.go
@@ -1,3 +1,5 @@
+package main
+
type AutoGenerated struct {
Info struct {
Added float64 `json:"added"`
@@ -227,4 +229,4 @@ type AutoGenerated struct {
} `json:"memdumps"`
} `json:"output"`
} `json:"metadata"`
-}
\ No newline at end of file
+}
diff --git a/task.json b/task.json
index 87aea7b..ff7acbc 100644
--- a/task.json
+++ b/task.json
@@ -1 +1,41230 @@
-{"behavior":{"apistats":{"1952":{"CoCreateInstance":2,"CoGetClassObject":4,"CoInitializeEx":1,"CoInitializeSecurity":1,"CoUninitialize":1,"GetFileInformationByHandle":2,"GetFileSize":4,"GetSystemDirectoryW":3,"GetSystemInfo":3,"GetSystemTimeAsFileTime":14,"LdrGetDllHandle":8,"LdrGetProcedureAddress":39,"LdrLoadDll":9,"LdrUnloadDll":2,"NtAllocateVirtualMemory":16,"NtClose":58,"NtCreateFile":5,"NtCreateSection":4,"NtDuplicateObject":2,"NtFreeVirtualMemory":6,"NtMapViewOfSection":4,"NtOpenDirectoryObject":1,"NtOpenFile":1,"NtOpenKey":3,"NtOpenKeyEx":91,"NtOpenProcess":2,"NtProtectVirtualMemory":2,"NtQueryKey":99,"NtQuerySystemInformation":1,"NtQueryValueKey":39,"NtReadFile":86,"NtTerminateProcess":3,"NtUnmapViewOfSection":6,"RegCloseKey":71,"RegCreateKeyExW":1,"RegEnumKeyW":6,"RegQueryValueExW":3,"SetFilePointer":108,"SetUnhandledExceptionFilter":1},"2976":{"CoCreateInstance":2,"CoUninitialize":1,"CreateActCtxW":2,"CreateProcessInternalW":1,"CreateServiceA":1,"CreateThread":3,"CreateToolhelp32Snapshot":1,"CryptAcquireContextA":1,"CryptCreateHash":1,"CryptHashData":3,"DeviceIoControl":2,"FindFirstFileExW":4,"FindWindowA":4,"GetFileAttributesW":1,"GetNativeSystemInfo":4,"GetSystemDirectoryW":4,"GetSystemInfo":3,"GetSystemTimeAsFileTime":6,"GetSystemWindowsDirectoryA":6,"GetSystemWindowsDirectoryW":7,"GetVolumeNameForVolumeMountPointW":3,"GetVolumePathNamesForVolumeNameW":8,"GlobalMemoryStatusEx":1,"LdrGetDllHandle":33,"LdrGetProcedureAddress":306,"LdrLoadDll":31,"LdrUnloadDll":4,"LoadStringW":2,"LookupPrivilegeValueW":4,"Module32FirstW":1,"Module32NextW":21,"NtAllocateVirtualMemory":50,"NtClose":230,"NtCreateFile":12,"NtCreateMutant":5,"NtCreateSection":6,"NtDelayExecution":1,"NtDeviceIoControlFile":1,"NtDuplicateObject":4,"NtFreeVirtualMemory":17,"NtGetContextThread":1,"NtMapViewOfSection":6,"NtOpenDirectoryObject":1,"NtOpenFile":2,"NtOpenKey":14,"NtOpenKeyEx":159,"NtOpenProcess":4,"NtProtectVirtualMemory":47,"NtQueryAttributesFile":2,"NtQueryDirectoryFile":71,"NtQueryInformationFile":3,"NtQueryKey":144,"NtQuerySystemInformation":1,"NtQueryValueKey":113,"NtReadFile":1,"NtTerminateProcess":3,"NtUnmapViewOfSection":10,"NtWriteFile":1,"OleInitialize":1,"OpenSCManagerA":2,"OpenServiceA":3,"RegCloseKey":26,"RegCreateKeyExA":4,"RegEnumKeyW":18,"RegOpenKeyExA":14,"RegOpenKeyExW":14,"RegQueryValueExA":9,"RegQueryValueExW":20,"RegSetValueExA":15,"SetErrorMode":9,"SetFileAttributesW":2,"SetFilePointer":1,"SetFilePointerEx":1,"SetUnhandledExceptionFilter":5,"ShellExecuteExW":2,"StartServiceA":1,"__exception__":5}},"generic":[{"first_seen":1606943649.755751,"pid":1952,"ppid":2976,"process_name":"firefox.exe","process_path":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","summary":{"dll_loaded":["ntmarta.dll","C:\\Windows\\system32\\IMM32.DLL","api-ms-win-appmodel-runtime-l1-1-2","C:\\Windows\\system32\\actxprxy.dll","gdi32.dll","OLEAUT32","OLEAUT32.dll","C:\\Program Files\\Internet Explorer\\ieproxy.dll","ole32.dll"],"file_opened":["C:\\Program Files\\Mozilla Firefox\\firefox.exe","C:\\Windows\\System32\\stdole2.tlb","C:\\Windows\\System32\\shell32.dll","C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe"],"file_read":["C:\\Windows\\System32\\stdole2.tlb","C:\\Windows\\System32\\shell32.dll"],"guid":["{00000320-0000-0000-c000-000000000046}","{0000015b-0000-0000-c000-000000000046}","{00020420-0000-0000-c000-000000000046}","{9ba05972-f6a8-11cf-a442-00a0c90a8f39}","{85cb6900-4d95-11cf-960c-0080c7f4ee85}","{d5f569d0-593b-101a-b569-08002b2dbf7a}","{0000034b-0000-0000-c000-000000000046}"],"regkey_opened":["HKEY_CURRENT_USER\\SOFTWARE\\Mozilla\\Firefox\\Launcher"],"regkey_read":["HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\ThreadingModel","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\InprocServer32","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\ThreadingModel","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\Version","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\Windows\\LoadAppInit_DLLs","HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Browser","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\(Default)","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\IPv4LoopbackAlternative","HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Launcher","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\InprocServer32","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\Version","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\(Default)","HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Image","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles"]}},{"first_seen":1606943648.427626,"pid":2976,"ppid":3028,"process_name":"Win32.DarkTequila.exe","process_path":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe","summary":{"command_line":["\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"","http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974"],"directory_enumerated":["C:\\Windows\\SysWOW64\\ieframe.dll","C:\\Windows\\SysWOW64","C:\\Windows","C:\\Windows\\SysWOW64\\*.*"],"dll_loaded":["ADVAPI32.dll","C:\\Windows\\system32\\IMM32.DLL","wpcap.dll","api-ms-win-downlevel-advapi32-l1-1-0.dll","urlmon.dll","api-ms-win-downlevel-ole32-l1-1-0.dll","PROPSYS.dll","apphelp.dll","gdi32.dll","Shell32.dll","KERNEL32.DLL","msvcrt.dll","OLEAUT32.dll","api-ms-win-downlevel-shlwapi-l2-1-0.dll","advapi32.dll","API-MS-Win-Core-LocalRegistry-L1-1-0.dll","Ole32.dll","SETUPAPI.dll","CRYPTSP.dll","ole32.dll","comctl32.dll"],"file_created":["c:\\Windows\\csrss.dll"],"file_exists":["C:\\Windows\\SysWOW64\\ieframe.dll"],"file_opened":["C:\\Windows\\AppPatch\\sysmain.sdb","C:\\Windows\\SysWOW64\\ieframe.dll","C:\\Windows\\SysWOW64\\","\\??\\c:","\\??\\PhysicalDrive0","C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui"],"file_read":["C:\\Windows\\SysWOW64\\ieframe.dll"],"file_recreated":["\\??\\C:"],"file_written":["c:\\Windows\\csrss.dll"],"guid":["{76765b11-3f95-4af2-ac9d-ea55d8994f1a}","{00000000-0000-0000-c000-000000000046}","{871c5380-42a0-1069-a2ea-08002b30309d}","{000214e6-0000-0000-c000-000000000046}"],"mutex":["Global\\F42B8ED47C41A7A135BDA00457587C507BC99875"],"regkey_opened":["HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562","HKEY_LOCAL_MACHINE\\SYSTEM\\Select","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\Tcpip\\Parameters","HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters","HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562","HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main","HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_CLASSES_ROOT\\CLSID\\{D27CDB6E-AE6D-11cf-96B8-444553540000}","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"],"regkey_read":["HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\Progid","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Data","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameTabWindow","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)","HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPEnable","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Generation","HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\LastKnownGood","HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\SessionMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableBpc","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Data","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler","HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\AdminTabProcs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\Tcpip\\Parameters\\EnableBpc","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CMF\\Config\\SYSTEM","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Generation","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Cryptography\\MachineGuid","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\SessionMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Generation","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPSampledIn","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes","HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Setup\\SourcePath","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Data","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache"],"regkey_written":["HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\WOW64","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Type","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Start","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ObjectName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\Wcsrss","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\DisplayName","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ImagePath","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Description","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ErrorControl","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\WOW64"]}},{"first_seen":1606943609.640625,"pid":500,"ppid":384,"process_name":"lsass.exe","process_path":"C:\\Windows\\System32\\lsass.exe","summary":{}}],"processes":[{"calls":[],"command_line":"C:\\Windows\\system32\\lsass.exe","first_seen":1606943609.640625,"modules":[{"baseaddr":"0xff020000","basename":"lsass.exe","filepath":"C:\\Windows\\system32\\lsass.exe","imgsize":49152},{"baseaddr":"0x777e0000","basename":"ntdll.dll","filepath":"C:\\Windows\\SYSTEM32\\ntdll.dll","imgsize":1744896},{"baseaddr":"0x775c0000","basename":"kernel32.dll","filepath":"C:\\Windows\\system32\\kernel32.dll","imgsize":1175552},{"baseaddr":"0x7fefd5b0000","basename":"KERNELBASE.dll","filepath":"C:\\Windows\\system32\\KERNELBASE.dll","imgsize":434176},{"baseaddr":"0x7fefe0f0000","basename":"msvcrt.dll","filepath":"C:\\Windows\\system32\\msvcrt.dll","imgsize":651264},{"baseaddr":"0x7feff660000","basename":"RPCRT4.dll","filepath":"C:\\Windows\\system32\\RPCRT4.dll","imgsize":1232896},{"baseaddr":"0x7fefd290000","basename":"SspiSrv.dll","filepath":"C:\\Windows\\system32\\SspiSrv.dll","imgsize":45056},{"baseaddr":"0x7fefd0e0000","basename":"lsasrv.dll","filepath":"C:\\Windows\\system32\\lsasrv.dll","imgsize":1482752},{"baseaddr":"0x7feff350000","basename":"sechost.dll","filepath":"C:\\Windows\\SYSTEM32\\sechost.dll","imgsize":126976},{"baseaddr":"0x7fefd2a0000","basename":"SspiCli.dll","filepath":"C:\\Windows\\system32\\SspiCli.dll","imgsize":151552},{"baseaddr":"0x7feff3f0000","basename":"ADVAPI32.dll","filepath":"C:\\Windows\\system32\\ADVAPI32.dll","imgsize":897024},{"baseaddr":"0x776e0000","basename":"USER32.dll","filepath":"C:\\Windows\\system32\\USER32.dll","imgsize":1024000},{"baseaddr":"0x7fefdf40000","basename":"GDI32.dll","filepath":"C:\\Windows\\system32\\GDI32.dll","imgsize":421888},{"baseaddr":"0x7feff340000","basename":"LPK.dll","filepath":"C:\\Windows\\system32\\LPK.dll","imgsize":57344},{"baseaddr":"0x7fefda90000","basename":"USP10.dll","filepath":"C:\\Windows\\system32\\USP10.dll","imgsize":831488},{"baseaddr":"0x7fefcf60000","basename":"SAMSRV.dll","filepath":"C:\\Windows\\system32\\SAMSRV.dll","imgsize":790528},{"baseaddr":"0x7fefcf40000","basename":"cryptdll.dll","filepath":"C:\\Windows\\system32\\cryptdll.dll","imgsize":81920},{"baseaddr":"0x7fefd4e0000","basename":"MSASN1.dll","filepath":"C:\\Windows\\system32\\MSASN1.dll","imgsize":61440},{"baseaddr":"0x7fefced0000","basename":"wevtapi.dll","filepath":"C:\\Windows\\system32\\wevtapi.dll","imgsize":446464},{"baseaddr":"0x7feff1f0000","basename":"IMM32.DLL","filepath":"C:\\Windows\\system32\\IMM32.DLL","imgsize":188416},{"baseaddr":"0x7feff220000","basename":"MSCTF.dll","filepath":"C:\\Windows\\system32\\MSCTF.dll","imgsize":1085440},{"baseaddr":"0x7fefcec0000","basename":"cngaudit.dll","filepath":"C:\\Windows\\system32\\cngaudit.dll","imgsize":36864},{"baseaddr":"0x7fefce90000","basename":"AUTHZ.dll","filepath":"C:\\Windows\\system32\\AUTHZ.dll","imgsize":192512},{"baseaddr":"0x7fefce40000","basename":"ncrypt.dll","filepath":"C:\\Windows\\system32\\ncrypt.dll","imgsize":327680},{"baseaddr":"0x7fefce10000","basename":"bcrypt.dll","filepath":"C:\\Windows\\system32\\bcrypt.dll","imgsize":139264},{"baseaddr":"0x75240000","basename":"msprivs.DLL","filepath":"C:\\Windows\\system32\\msprivs.DLL","imgsize":8192},{"baseaddr":"0x7fefcdd0000","basename":"netjoin.dll","filepath":"C:\\Windows\\system32\\netjoin.dll","imgsize":204800},{"baseaddr":"0x7fefcda0000","basename":"negoexts.DLL","filepath":"C:\\Windows\\system32\\negoexts.DLL","imgsize":147456},{"baseaddr":"0x7fefd250000","basename":"Secur32.dll","filepath":"C:\\Windows\\system32\\Secur32.dll","imgsize":45056},{"baseaddr":"0x7fefd330000","basename":"cryptbase.dll","filepath":"C:\\Windows\\system32\\cryptbase.dll","imgsize":61440},{"baseaddr":"0x7fefcce0000","basename":"kerberos.DLL","filepath":"C:\\Windows\\system32\\kerberos.DLL","imgsize":753664},{"baseaddr":"0x7fefccc0000","basename":"CRYPTSP.dll","filepath":"C:\\Windows\\system32\\CRYPTSP.dll","imgsize":98304},{"baseaddr":"0x7fefdb60000","basename":"WS2_32.dll","filepath":"C:\\Windows\\system32\\WS2_32.dll","imgsize":315392},{"baseaddr":"0x7feff330000","basename":"NSI.dll","filepath":"C:\\Windows\\system32\\NSI.dll","imgsize":32768},{"baseaddr":"0x7fefcc60000","basename":"mswsock.dll","filepath":"C:\\Windows\\system32\\mswsock.dll","imgsize":348160},{"baseaddr":"0x7fefcc50000","basename":"wship6.dll","filepath":"C:\\Windows\\System32\\wship6.dll","imgsize":28672},{"baseaddr":"0x7fefcbf0000","basename":"msv1_0.DLL","filepath":"C:\\Windows\\system32\\msv1_0.DLL","imgsize":335872},{"baseaddr":"0x7fefcb40000","basename":"netlogon.DLL","filepath":"C:\\Windows\\system32\\netlogon.DLL","imgsize":712704},{"baseaddr":"0x7fefcae0000","basename":"DNSAPI.dll","filepath":"C:\\Windows\\system32\\DNSAPI.dll","imgsize":372736},{"baseaddr":"0x7fefcab0000","basename":"logoncli.dll","filepath":"C:\\Windows\\system32\\logoncli.dll","imgsize":196608},{"baseaddr":"0x7fefca50000","basename":"schannel.DLL","filepath":"C:\\Windows\\system32\\schannel.DLL","imgsize":360448},{"baseaddr":"0x7fefd660000","basename":"CRYPT32.dll","filepath":"C:\\Windows\\system32\\CRYPT32.dll","imgsize":1495040},{"baseaddr":"0x7fefca10000","basename":"wdigest.DLL","filepath":"C:\\Windows\\system32\\wdigest.DLL","imgsize":221184},{"baseaddr":"0x7fefc9c0000","basename":"rsaenh.dll","filepath":"C:\\Windows\\system32\\rsaenh.dll","imgsize":290816},{"baseaddr":"0x7fefc9a0000","basename":"tspkg.DLL","filepath":"C:\\Windows\\system32\\tspkg.DLL","imgsize":102400},{"baseaddr":"0x7fefc950000","basename":"pku2u.DLL","filepath":"C:\\Windows\\system32\\pku2u.DLL","imgsize":282624},{"baseaddr":"0x7fefc900000","basename":"bcryptprimitives.dll","filepath":"C:\\Windows\\system32\\bcryptprimitives.dll","imgsize":311296},{"baseaddr":"0x7fefd420000","basename":"RpcRtRemote.dll","filepath":"C:\\Windows\\system32\\RpcRtRemote.dll","imgsize":81920},{"baseaddr":"0x7fefc8e0000","basename":"efslsaext.dll","filepath":"C:\\Windows\\system32\\efslsaext.dll","imgsize":73728},{"baseaddr":"0x7fefc8a0000","basename":"scecli.DLL","filepath":"C:\\Windows\\system32\\scecli.DLL","imgsize":253952},{"baseaddr":"0x7fefc890000","basename":"credssp.dll","filepath":"C:\\Windows\\system32\\credssp.dll","imgsize":40960},{"baseaddr":"0x7fefd340000","basename":"WINSTA.dll","filepath":"C:\\Windows\\system32\\WINSTA.dll","imgsize":249856},{"baseaddr":"0x7fefc700000","basename":"IPHLPAPI.DLL","filepath":"C:\\Windows\\system32\\IPHLPAPI.DLL","imgsize":159744},{"baseaddr":"0x7fefc6f0000","basename":"WINNSI.DLL","filepath":"C:\\Windows\\system32\\WINNSI.DLL","imgsize":45056},{"baseaddr":"0x7fefb0d0000","basename":"netutils.dll","filepath":"C:\\Windows\\system32\\netutils.dll","imgsize":49152},{"baseaddr":"0x7fefb0b0000","basename":"wkscli.dll","filepath":"C:\\Windows\\system32\\wkscli.dll","imgsize":86016},{"baseaddr":"0x7fefd630000","basename":"USERENV.dll","filepath":"C:\\Windows\\system32\\USERENV.dll","imgsize":122880},{"baseaddr":"0x7fefd4d0000","basename":"profapi.dll","filepath":"C:\\Windows\\system32\\profapi.dll","imgsize":61440},{"baseaddr":"0x7fefc5c0000","basename":"wshtcpip.dll","filepath":"C:\\Windows\\System32\\wshtcpip.dll","imgsize":28672},{"baseaddr":"0x7fef2400000","basename":"dssenh.dll","filepath":"C:\\Windows\\system32\\dssenh.dll","imgsize":204800},{"baseaddr":"0x7fefc780000","basename":"GPAPI.dll","filepath":"C:\\Windows\\system32\\GPAPI.dll","imgsize":110592},{"baseaddr":"0x74540000","basename":"monitor-x64.dll","filepath":"C:\\tmpcaygsr\\bin\\monitor-x64.dll","imgsize":2269184}],"pid":500,"ppid":384,"process_name":"lsass.exe","process_path":"C:\\Windows\\System32\\lsass.exe","tid":1380,"time":0,"track":false,"type":"process"},{"calls":[{"api":"LdrLoadDll","arguments":{"basename":"KERNEL32","flags":0,"module_address":"0x757c0000","module_name":"KERNEL32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1454","function_name":"InterlockedCompareExchange","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1432","function_name":"InterlockedExchange","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d11f8","function_name":"GetCurrentProcessId","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d11c0","function_name":"GetLastError","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d10ff","function_name":"Sleep","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1245","function_name":"GetModuleHandleA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d4977","function_name":"LoadLibraryA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1222","function_name":"GetProcAddress","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d17d9","function_name":"GetCurrentProcess","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1420","function_name":"GetCurrentThreadId","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d110c","function_name":"GetTickCount","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d8769","function_name":"SetUnhandledExceptionFilter","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d3468","function_name":"FreeLibrary","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d16f5","function_name":"QueryPerformanceCounter","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f770f","function_name":"UnhandledExceptionFilter","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757ed7ea","function_name":"TerminateProcess","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d0e00","function_name":"GetStartupInfoA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757fd1f3","function_name":"RtlUnwind","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757fb2af","function_name":"OutputDebugStringA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d34a9","function_name":"GetSystemTimeAsFileTime","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrLoadDll","arguments":{"basename":"msvcrt","flags":0,"module_address":"0x75b60000","module_name":"msvcrt.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6db38","function_name":"_stricmp","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6de4a","function_name":"strstr","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69894","function_name":"free","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6b10d","function_name":"realloc","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69cee","function_name":"malloc","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b714e3","function_name":"??1exception@@UAE@XZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b714f9","function_name":"??0exception@@QAE@XZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb56cd","function_name":"??0exception@@QAE@ABV0@@Z","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b7132e","function_name":"_beginthreadex","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b83557","function_name":"_CxxThrowException","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bbbf99","function_name":"_callnewh","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f607","function_name":"_ismbblead","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69790","function_name":"memset","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69910","function_name":"memcpy","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6a42d","function_name":"_unlock","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f509","function_name":"__dllonexit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6a449","function_name":"_lock","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b7112d","function_name":"_onexit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb92bb","function_name":"??1type_info@@UAE@XZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb61d7","function_name":"?terminate@@YAXXZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b72bc0","function_name":"__getmainargs","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b737d4","function_name":"_cexit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bcb2e0","function_name":"_exit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b8dc75","function_name":"_XcptFilter","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c004d8","function_name":"_acmdln","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6c151","function_name":"_initterm","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bcb30f","function_name":"_amsg_exit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bf77dd","function_name":"__setusermatherr","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b727c3","function_name":"__p__commode","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b727ce","function_name":"__p__fmode","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b72804","function_name":"__set_app_type","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f76e","function_name":"isleadbyte","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c02900","function_name":"_iob","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b8fa7c","function_name":"_snprintf","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b84218","function_name":"_itoa","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb22bf","function_name":"wctomb","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6e1e1","function_name":"_controlfp","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c03210","function_name":"__badioinfo","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c00500","function_name":"__pioinfo","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6ac15","function_name":"_fileno","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b74303","function_name":"_lseeki64","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b74078","function_name":"_write","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f383","function_name":"_isatty","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b7ca0b","function_name":"_strlwr","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6a5b8","function_name":"_errno","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b83495","function_name":"__CxxFrameHandler","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b736aa","function_name":"exit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb57a5","function_name":"?what@exception@@UBEPBDXZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x003c0000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x003c0000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":2,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"SetUnhandledExceptionFilter","arguments":{},"category":"exception","flags":{},"last_error":0,"nt_status":-1073741515,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.583626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"advapi32.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741515,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.583626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"advapi32.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741515,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.583626},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"GetSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"NtCreateMutant","arguments":{"desired_access":"0x001f0001","initial_owner":0,"mutant_handle":"0x00000040","mutant_name":""},"category":"synchronisation","flags":{"desired_access":"STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"NtCreateMutant","arguments":{"desired_access":"0x001f0001","initial_owner":0,"mutant_handle":"0x00000044","mutant_name":""},"category":"synchronisation","flags":{"desired_access":"STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"NtOpenKey","arguments":{"desired_access":"0x02000000","key_handle":"0x00000048","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Diagnostics"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.583626},{"api":"LdrLoadDll","arguments":{"basename":"advapi32","flags":0,"module_address":"0x75e10000","module_name":"advapi32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e19159","function_name":"CryptAcquireContextA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1e0a4","function_name":"CryptReleaseContext","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1dece","function_name":"CryptCreateHash","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1deb6","function_name":"CryptHashData","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1defe","function_name":"CryptGetHashParam","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1dee6","function_name":"CryptDestroyHash","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrLoadDll","arguments":{"basename":"CRYPTSP","flags":0,"module_address":"0x742d0000","module_name":"CRYPTSP.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x742d4a53","function_name":"CryptAcquireContextA","module":"CRYPTSP","module_address":"0x742d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.583626},{"api":"CryptAcquireContextA","arguments":{"container":"","crypto_handle":"0x006f6cf0","flags":4026531904,"provider":"","provider_type":1},"category":"crypto","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"Kernel32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d13e0","function_name":"CloseHandle","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d5366","function_name":"CreateFileA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d4c0b","function_name":"CreateMutexA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f733f","function_name":"CreateToolhelp32Snapshot","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d31cf","function_name":"DeviceIoControl","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d17bc","function_name":"GetCurrentThread","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75854aff","function_name":"GetLongPathNameA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1481","function_name":"GetModuleFileNameA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757e107d","function_name":"GetNativeSystemInfo","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d14b9","function_name":"GetProcessHeap","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d496a","function_name":"GetSystemInfo","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f79b4","function_name":"GetThreadContext","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779ee0c6","function_name":"HeapAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1499","function_name":"HeapFree","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779fc7ac","function_name":"HeapReAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757fd0a5","function_name":"IsBadReadPtr","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75856459","function_name":"Module32First","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75856542","function_name":"Module32Next","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d111e","function_name":"ReleaseMutex","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1ad0","function_name":"SetErrorMode","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1826","function_name":"VirtualAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d183e","function_name":"VirtualFree","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d42ff","function_name":"VirtualProtect","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1136","function_name":"WaitForSingleObject","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1956","function_name":"OpenProcess","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x75e10000","module_name":"Advapi32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24036","function_name":"AllocateAndInitializeSid","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1de84","function_name":"CheckTokenMembership","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e2407e","function_name":"FreeSid","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e245ed","function_name":"RegCloseKey","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e2485b","function_name":"RegOpenKeyExA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24843","function_name":"RegQueryValueExA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e240de","function_name":"AdjustTokenPrivileges","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e235e4","function_name":"CloseServiceHandle","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e23f9a","function_name":"LookupPrivilegeValueA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24254","function_name":"OpenProcessToken","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e22b20","function_name":"OpenSCManagerA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e22b38","function_name":"OpenServiceA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1790c","function_name":"QueryServiceStatusEx","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"Shell32.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741700,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"Shell32.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741700,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"NtQuerySystemInformation","arguments":{"information_class":0},"category":"system","flags":{"information_class":"SystemBasicInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x77ac1000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":2,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x773a0000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x773a0000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":32,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"LdrLoadDll","arguments":{"basename":"IMM32","flags":0,"module_address":"0x75f10000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x75f10000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020019","key_handle":"0x00000054","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000054","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":126,"nt_status":-1073741515,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"NtClose","arguments":{"handle":"0x00000054"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x75a30000","module_name":"LPK.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75a348a0","function_name":"LpkTabbedTextOut","module":"LPK","module_address":"0x75a30000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75a31430","function_name":"LpkPSMTextOut","module":"LPK","module_address":"0x75a30000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75a313d0","function_name":"LpkDrawTextEx","module":"LPK","module_address":"0x75a30000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75a37000","function_name":"LpkEditControl","module":"LPK","module_address":"0x75a30000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtClose","arguments":{"handle":"0x0000006c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtClose","arguments":{"handle":"0x00000068"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000068","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000068","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs","value":0},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtClose","arguments":{"handle":"0x00000068"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrLoadDll","arguments":{"basename":"gdi32","flags":0,"module_address":"0x76e10000","module_name":"gdi32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x76e29ea8","function_name":"GetCharABCWidthsI","module":"GDI32","module_address":"0x76e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrLoadDll","arguments":{"basename":"Shell32","flags":0,"module_address":"0x76050000","module_name":"Shell32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x762986f5","function_name":"ShellExecuteExA","module":"Shell32","module_address":"0x76050000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x77390000","module_name":"User32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773afffe","function_name":"FindWindowA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773e9114","function_name":"SwitchToThisWindow","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773ad23e","function_name":"CreateWindowExA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773a9a55","function_name":"DestroyWindow","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773a7bbb","function_name":"DispatchMessageA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773a7bd3","function_name":"GetMessageA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773a7d2f","function_name":"GetSystemMetrics","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773b9045","function_name":"LoadImageA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773b71fe","function_name":"SendMessageA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773a79fb","function_name":"SetTimer","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773b86de","function_name":"SetWindowTextA","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773b0e13","function_name":"ShowWindow","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x773a7809","function_name":"TranslateMessage","module":"USER32","module_address":"0x77390000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"Ole32.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":5,"nt_status":0,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"Ole32.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":5,"nt_status":0,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000084","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000084","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":126,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"NtClose","arguments":{"handle":"0x00000084"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000084","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000084","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":126,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"NtClose","arguments":{"handle":"0x00000084"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"GetSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x774d0000","module_name":"rpcrt4.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x774f009e","function_name":"I_RpcInitNdrImports","module":"RPCRT4","module_address":"0x774d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2868,"time":1606943648.599626},{"api":"NtOpenDirectoryObject","arguments":{"desired_access":"0x0000000f","directory_handle":"0x000000a0","dirpath":"\\Sessions\\1\\BaseNamedObjects","dirpath_r":"\\Sessions\\1\\BaseNamedObjects"},"category":"file","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrLoadDll","arguments":{"basename":"Ole32","flags":0,"module_address":"0x758d0000","module_name":"Ole32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75919c5b","function_name":"CoCreateInstance","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7591097d","function_name":"CoInitializeEx","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x758f355b","function_name":"CreateStreamOnHGlobal","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943648.599626},{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeDebugPrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x000000a4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x779c0000","module_name":"ntdll.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a6cd42","function_name":"CsrGetProcessId","module":"ntdll","module_address":"0x779c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtOpenProcess","arguments":{"desired_access":"0x001fffff","process_handle":"0x00000000","process_identifier":408},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|SPECIFIC_RIGHTS_ALL"},"last_error":0,"nt_status":0,"return_value":3221225506,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"SetErrorMode","arguments":{"mode":2},"category":"system","flags":{"mode":"SEM_NOGPFAULTERRORBOX"},"return_value":32775,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"SetUnhandledExceptionFilter","arguments":{},"category":"exception","flags":{},"return_value":3980002,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"OpenSCManagerA","arguments":{"database_name":"","desired_access":2147483648,"machine_name":""},"category":"services","flags":{},"return_value":7204000,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"OpenServiceA","arguments":{"desired_access":4,"service_handle":"0x00000000","service_manager_handle":"0x006deca0","service_name":"WindowsClientServerRunTimeSubsystem"},"category":"services","flags":{},"last_error":1060,"nt_status":-1073741790,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x000000f8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x000000fc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"CreateThread","arguments":{"flags":0,"function_address":"0x75b712e5","parameter":"0x00922640","stack_size":0,"thread_identifier":2628},"category":"process","flags":{},"return_value":252,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"SetUnhandledExceptionFilter","arguments":{},"category":"exception","flags":{},"return_value":3966816,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000001","base_handle":"0x80000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CLASSES_ROOT\\CLSID\\{D27CDB6E-AE6D-11cf-96B8-444553540000}","regkey_r":"CLSID\\{D27CDB6E-AE6D-11cf-96B8-444553540000}"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2628,"time":1606943649.536626},{"api":"__exception__","arguments":{"exception":{"address":"0x3c100d","exception_code":"0xc0000094","instruction":"div eax","instruction_r":"f7 f0 e8 9c 05 00 00 85 c0 74 06 b8 0a 00 00 00","module":"Win32.DarkTequila.exe","offset":4109,"symbol":"win32+0x100d"},"registers":{"eax":0,"ebp":2752212,"ebx":0,"ecx":3503292416,"edi":1971160937,"edx":2130566132,"esi":7155388,"esp":2751908},"stacktrace":["win32+0x8b60 @ 0x3c8b60","win32+0xa83f @ 0x3ca83f","BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a","RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2","RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"]},"category":"__notification__","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"SetUnhandledExceptionFilter","arguments":{},"category":"exception","flags":{},"return_value":3937488,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"__exception__","arguments":{"exception":{"address":"0x3c1602","exception_code":"0xc0000096","instruction":"in eax, dx","instruction_r":"ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45","module":"Win32.DarkTequila.exe","offset":5634,"symbol":"win32+0x1602"},"registers":{"eax":1447909480,"ebp":2751900,"ebx":0,"ecx":10,"edi":1971160937,"edx":22104,"esi":7155388,"esp":2751844},"stacktrace":["win32+0x1014 @ 0x3c1014","win32+0x8b60 @ 0x3c8b60","win32+0xa83f @ 0x3ca83f","BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a","RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2","RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"]},"category":"__notification__","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"__exception__","arguments":{"exception":{"address":"0x3c1546","exception_code":"0xc000001d","instruction_r":"0f 3f 07 0b 85 db 0f 94 45 e7 5b eb 38 8b 45 ec","module":"Win32.DarkTequila.exe","offset":5446,"symbol":"win32+0x1546"},"registers":{"eax":1,"ebp":2751900,"ebx":0,"ecx":2028644408,"edi":1971160937,"edx":0,"esi":7155388,"esp":2751844},"stacktrace":["win32+0x1023 @ 0x3c1023","win32+0x8b60 @ 0x3c8b60","win32+0xa83f @ 0x3ca83f","BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a","RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2","RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"]},"category":"__notification__","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"LdrLoadDll","arguments":{"basename":"ole32","flags":0,"module_address":"0x758d0000","module_name":"ole32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.536626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"kernel32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f9796","function_name":"GetSystemWindowsDirectoryA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"GetSystemWindowsDirectoryA","arguments":{"dirpath":"\u0000GetSystemW"},"category":"file","flags":{},"return_value":11,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"GetSystemWindowsDirectoryA","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0xc0100080","file_attributes":128,"file_handle":"0x00000114","filepath":"\\??\\c:","filepath_r":"\\??\\c:","share_access":3,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE","file_attributes":"FILE_ATTRIBUTE_NORMAL","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"DeviceIoControl","arguments":{"control_code":2953344,"device_handle":"0x00000114","input_buffer":"","output_buffer":"\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000"},"category":"file","flags":{"control_code":"IOCTL_STORAGE_GET_DEVICE_NUMBER"},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x00000114"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x758eef0f","function_name":"OleInitialize","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.536626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0xc0100080","file_attributes":128,"file_handle":"0x00000114","filepath":"\\??\\PhysicalDrive0","filepath_r":"\\??\\PhysicalDrive0","share_access":3,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE","file_attributes":"FILE_ATTRIBUTE_NORMAL","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"DeviceIoControl","arguments":{"control_code":475264,"device_handle":"0x00000114","input_buffer":"","output_buffer":""},"category":"file","flags":{"control_code":""},"last_error":1,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x00000114"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"CreateToolhelp32Snapshot","arguments":{"flags":8,"process_identifier":2976},"category":"process","flags":{},"return_value":296,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32FirstW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"Module32NextW","arguments":{"snapshot_handle":"0x00000128"},"category":"process","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x00000128"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"FindWindowA","arguments":{"class_name":"OLLYDBG","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"FindWindowA","arguments":{"class_name":"WinDbgFrameClass","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"FindWindowA","arguments":{"class_name":"PROCMON_WINDOW_CLASS","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"FindWindowA","arguments":{"class_name":"PROCEXPL","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"LdrLoadDll","arguments":{"basename":"wpcap","flags":0,"module_address":"0x00000000","module_name":"wpcap.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"NtClose","arguments":{"handle":"0x00008000"},"category":"system","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":3221225480,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},{"api":"NtGetContextThread","arguments":{"thread_handle":"0xfffffffe"},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"GetSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x00390000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":64,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x00390000","heap_dep_bypass":1,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":320,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READWRITE|PAGE_GUARD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00390000","free_type":32768,"process_handle":"0xffffffff","process_identifier":2976,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"__exception__","arguments":{"exception":{"address":"0x3c12ad","exception_code":"0x80000004","instruction":"mov dword ptr [ebp + 0xfffffffc], 0xfffffffe","instruction_r":"c7 45 fc fe ff ff ff b8 01 00 00 00 8b 4d f0 64","module":"Win32.DarkTequila.exe","offset":4781,"symbol":"win32+0x12ad"},"registers":{"eax":2751884,"ebp":2751900,"ebx":0,"ecx":2028644408,"edi":1971160937,"edx":2130566132,"esi":7155388,"esp":2751860},"stacktrace":["win32+0x108c @ 0x3c108c","win32+0x8b60 @ 0x3c8b60","win32+0xa83f @ 0x3ca83f","BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a","RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2","RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"]},"category":"__notification__","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"OleInitialize","arguments":{},"category":"ole","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x779c0000","module_name":"ntdll.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779dfae8","function_name":"NtQueryInformationProcess","module":"ntdll","module_address":"0x779c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"ole32","flags":0,"module_address":"0x758d0000","module_name":"ole32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75916c74","function_name":"CreateBindCtx","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7591e9fc","function_name":"CoTaskMemAlloc","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"__exception__","arguments":{"exception":{"address":"0x3c121d","exception_code":"0x80000003","instruction":"rol byte ptr [ebx + 0x45c702c0], -4","instruction_r":"c0 83 c0 02 c7 45 fc fe ff ff ff b8 01 00 00 00","module":"Win32.DarkTequila.exe","offset":4637,"symbol":"win32+0x121d"},"registers":{"eax":2751884,"ebp":2751900,"ebx":0,"ecx":2026067364,"edi":1971160937,"edx":844648,"esi":7155388,"esp":2751860},"stacktrace":["win32+0x10b9 @ 0x3c10b9","win32+0x8b60 @ 0x3c8b60","win32+0xa83f @ 0x3ca83f","BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a","RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2","RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"]},"category":"__notification__","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x006fc000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741515,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT"},"category":"registry","flags":{"desired_access":""},"last_error":203,"nt_status":-1073741568,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"ADVAPI32","flags":0,"module_address":"0x75e10000","module_name":"ADVAPI32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a028d7","function_name":"RegisterTraceGuidsW","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x75e10000","module_name":"advapi32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a027c9","function_name":"EventRegister","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a1919d","function_name":"EventUnregister","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f8848","function_name":"EventEnabled","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a196fd","function_name":"EventWrite","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"PROPSYS","flags":0,"module_address":"0x74190000","module_name":"PROPSYS.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7419bf2c","function_name":"PSCreateMemoryPropertyStore","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7419c9d6","function_name":"PSPropertyBag_WriteDWORD","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x779c0000","module_name":"ntdll.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75916495","function_name":"CoGetApartmentType","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779df9bc","function_name":"NtSetInformationThread","module":"ntdll","module_address":"0x779c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x759175b0","function_name":"CoRegisterInitializeSpy","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x006fd000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"SetUnhandledExceptionFilter","arguments":{},"category":"exception","flags":{},"last_error":6,"nt_status":-1073741816,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000140","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\Select","regkey_r":"SYSTEM\\Select"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000140","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000144","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current","regkey_r":"Current","value":1},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000144","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\LastKnownGood","regkey_r":"LastKnownGood","value":2},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000144"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters","regkey_r":"SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000140"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000144","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableBpc","regkey_r":"EnableBpc","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":6,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.552626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000144"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\Tcpip\\Parameters","regkey_r":"SYSTEM\\ControlSet002\\Services\\Tcpip\\Parameters"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000144","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\Tcpip\\Parameters\\EnableBpc","regkey_r":"EnableBpc","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":6,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.552626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000144"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"GetNativeSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000101","base_handle":"0x80000002","key_handle":"0x00000140","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography","regkey_r":"SOFTWARE\\Microsoft\\Cryptography"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000140","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Cryptography\\MachineGuid","regkey_r":"MachineGuid","value":"3e8a2b26-09e3-46d4-9d82-040453578837"},"category":"registry","flags":{"reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000140"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x742d5d1b","function_name":"CryptCreateHash","module":"CRYPTSP","module_address":"0x742d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"CryptCreateHash","arguments":{"algorithm_identifier":"0x00008004","crypto_handle":"0x00000000","flags":0,"hash_handle":"0x006fd010","provider_handle":"0x006f6cf0"},"category":"crypto","flags":{"algorithm_identifier":"CALG_SHA1"},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x742d5f62","function_name":"CryptHashData","module":"CRYPTSP","module_address":"0x742d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"CryptHashData","arguments":{"buffer":"6401E9A2-4DC0-4622-A3A7-961BB3EF704B","flags":0,"hash_handle":"0x006fd010"},"category":"crypto","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"CryptHashData","arguments":{"buffer":"3e8a2b26-09e3-46d4-9d82-040453578837","flags":0,"hash_handle":"0x006fd010"},"category":"crypto","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"CryptHashData","arguments":{"buffer":"6401E9A2-4DC0-4622-A3A7-961BB3EF704B","flags":0,"hash_handle":"0x006fd010"},"category":"crypto","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x742d667c","function_name":"CryptGetHashParam","module":"CRYPTSP","module_address":"0x742d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x742d6135","function_name":"CryptDestroyHash","module":"CRYPTSP","module_address":"0x742d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtCreateMutant","arguments":{"desired_access":"0x001f0001","initial_owner":1,"mutant_handle":"0x00000140","mutant_name":"Global\\F42B8ED47C41A7A135BDA00457587C507BC99875"},"category":"synchronisation","flags":{"desired_access":"STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000144","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000144"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000144","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000144"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000144","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000144"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000144","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000144","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000144"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000009","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\Win32.DarkTequila.exe"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75926f61","function_name":"CoTaskMemFree","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"CreateActCtxW","arguments":{"application_name":"","module_handle":"0x76050000","resource_name":""},"category":"misc","flags":{},"return_value":7329276,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x006ff000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"CreateActCtxW","arguments":{"application_name":"","module_handle":"0x00000000","resource_name":""},"category":"misc","flags":{},"return_value":7331500,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x75a30000","module_name":"LPK","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75a37000","function_name":"LpkEditControl","module":"LPK","module_address":"0x75a30000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"comctl32","flags":0,"module_address":"0x73ff0000","module_name":"comctl32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"comctl32","flags":0,"module_address":"0x73ff0000","module_name":"comctl32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7401e05d","function_name":"","module":"comctl32","module_address":"0x73ff0000","ordinal":236},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"OLEAUT32","flags":0,"module_address":"0x75ac0000","module_name":"OLEAUT32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75ac3f8a","function_name":"","module":"OLEAUT32","module_address":"0x75ac0000","ordinal":6},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7591e9fc","function_name":"CoTaskMemAlloc","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x759161a9","function_name":"CoGetMalloc","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000158","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000158","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000158"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7419c97f","function_name":"PSPropertyBag_ReadDWORD","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7419ca28","function_name":"PSPropertyBag_ReadGUID","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x740211b9","function_name":"","module":"comctl32","module_address":"0x73ff0000","ordinal":320},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x74021158","function_name":"","module":"comctl32","module_address":"0x73ff0000","ordinal":324},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x740206f0","function_name":"","module":"comctl32","module_address":"0x73ff0000","ordinal":323},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000158","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"ADVAPI32","flags":0,"module_address":"0x75e10000","module_name":"ADVAPI32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e243ab","function_name":"RegEnumKeyW","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":0,"key_handle":"0x00000158","key_name":"{031E4825-7B94-4dc3-B131-E946B44C8DD5}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":1,"key_handle":"0x00000158","key_name":"{04731B67-D933-450a-90E6-4ACD2E9408FE}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":2,"key_handle":"0x00000158","key_name":"{11016101-E366-4D22-BC06-4ADA335C892B}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":3,"key_handle":"0x00000158","key_name":"{26EE0668-A00A-44D7-9371-BEB064C98683}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":4,"key_handle":"0x00000158","key_name":"{4336a54d-038b-4685-ab02-99bb52d3fb8b}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":5,"key_handle":"0x00000158","key_name":"{450D8FBA-AD25-11D0-98A8-0800361B1103}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":6,"key_handle":"0x00000158","key_name":"{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":7,"key_handle":"0x00000158","key_name":"{59031a47-3f72-44a7-89c5-5595fe6b30ee}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":8,"key_handle":"0x00000158","key_name":"{645FF040-5081-101B-9F08-00AA002F954E}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":9,"key_handle":"0x00000158","key_name":"{89D83576-6BD1-4c86-9454-BEB04E94C819}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":10,"key_handle":"0x00000158","key_name":"{9343812e-1c37-4a49-a12e-4b2d810d956b}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":11,"key_handle":"0x00000158","key_name":"{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":12,"key_handle":"0x00000158","key_name":"{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":13,"key_handle":"0x00000158","key_name":"{daf95313-e44d-46af-be1b-cbacea2c3065}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":14,"key_handle":"0x00000158","key_name":"{e345f35f-9397-435c-8f95-4e922c26259e}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":15,"key_handle":"0x00000158","key_name":"{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":16,"key_handle":"0x00000158","key_name":"{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"RegEnumKeyW","arguments":{"index":17,"key_handle":"0x00000158","key_name":"{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"},"category":"registry","flags":{},"last_error":0,"nt_status":-2147483622,"return_value":259,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000158"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":-2147483622,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenProcess","arguments":{"desired_access":"0x00000400","process_handle":"0x00000158","process_identifier":2976},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000158"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrLoadDll","arguments":{"basename":"ADVAPI32","flags":0,"module_address":"0x75e10000","module_name":"ADVAPI32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e2427c","function_name":"OpenThreadToken","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000158","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace\\DelegateFolders"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00701000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.552626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000156"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75912208","function_name":"StringFromGUID2","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000156"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes","value":36},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000156"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":4,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes","value":1048576},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00d4\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000I\u0000n\u0000P\u0000r\u0000o\u0000c\u0000S\u0000e\u0000r\u0000v\u0000e\u0000r\u00003\u00002\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)","value":"C:\\Windows\\SysWOW64\\ieframe.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u00d4\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000I\u0000n\u0000P\u0000r\u0000o\u0000c\u0000S\u0000e\u0000r\u0000v\u0000e\u0000r\u00003\u00002\u0000","information_class":3,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x00000156","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000156","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000156"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"LdrLoadDll","arguments":{"basename":"apphelp","flags":0,"module_address":"0x73fa0000","module_name":"apphelp.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x73faa4cb","function_name":"ApphelpCheckShellObject","module":"apphelp","module_address":"0x73fa0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCompatibility"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","regkey":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppCompat"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenKey","arguments":{"desired_access":"0x80000000","key_handle":"0x00000154","regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{871c5380-42a0-1069-a2ea-08002b30309d}\\InProcServer32"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryValueKey","arguments":{"information_class":1,"key_handle":"0x00000154","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)","value":"C:\\Windows\\SysWOW64\\ieframe.dll"},"category":"registry","flags":{"information_class":"KeyValueFullInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"ieframe.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":1008,"nt_status":-1073741772,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.568626},{"api":"NtOpenFile","arguments":{"desired_access":"0x00100081","file_handle":"0x00000154","filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll","open_options":96,"share_access":5,"status_info":1},"category":"file","flags":{"desired_access":"FILE_READ_DATA|FILE_READ_ATTRIBUTES|FILE_LIST_DIRECTORY","open_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00702000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0x80100080","file_attributes":128,"file_handle":"0x00000154","filepath":"C:\\Windows\\AppPatch\\sysmain.sdb","filepath_r":"\\SystemRoot\\AppPatch\\sysmain.sdb","share_access":1,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"FILE_ATTRIBUTE_NORMAL","share_access":"FILE_SHARE_READ","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.568626},{"api":"NtQueryInformationFile","arguments":{"file_handle":"0x00000154","information_class":5},"category":"file","flags":{"information_class":"FileStandardInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtCreateSection","arguments":{"desired_access":"0x00000005","file_handle":"0x00000154","object_handle":"0x00000000","protection":2,"section_handle":"0x0000015c","section_name":""},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x02760000","buffer":"","commit_size":0,"process_handle":"0xffffffff","process_identifier":2976,"section_handle":"0x0000015c","section_offset":0,"view_size":4083712,"win32_protect":2},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryInformationFile","arguments":{"file_handle":"0x00000154","information_class":5},"category":"file","flags":{"information_class":"FileStandardInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x779c0000","module_name":"ntdll.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"SetErrorMode","arguments":{"mode":32769},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS|SEM_NOOPENFILEERRORBOX"},"return_value":6,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtOpenFile","arguments":{"desired_access":"0x00100001","file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\","open_options":16417,"share_access":3,"status_info":1},"category":"file","flags":{"desired_access":"FILE_READ_DATA|FILE_LIST_DIRECTORY","open_options":"FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64\\ieframe.dll","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"SetErrorMode","arguments":{"mode":32769},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS|SEM_NOOPENFILEERRORBOX"},"return_value":32773,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"GetFileAttributesW","arguments":{"file_attributes":32,"filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"C:\\Windows\\SysWOW64\\ieframe.dll"},"category":"file","flags":{},"return_value":32,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"FindFirstFileExW","arguments":{"filepath":"C:\\Windows","filepath_r":"C:\\Windows"},"category":"file","flags":{},"return_value":7331824,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"FindFirstFileExW","arguments":{"filepath":"C:\\Windows\\SysWOW64","filepath_r":"C:\\Windows\\SysWOW64"},"category":"file","flags":{},"return_value":7331824,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"FindFirstFileExW","arguments":{"filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"C:\\Windows\\SysWOW64\\ieframe.dll"},"category":"file","flags":{},"return_value":7331824,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"SetErrorMode","arguments":{"mode":32773},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX"},"return_value":32773,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00000001","key_handle":"0x00000160","regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryValueKey","arguments":{"information_class":1,"key_handle":"0x00000160","key_name":"Cache","reg_type":1,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache","value":"C:\\Users\\mes-vms\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files"},"category":"registry","flags":{"information_class":"KeyValueFullInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtOpenKey","arguments":{"desired_access":"0x80000100","key_handle":"0x00000000","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtOpenKey","arguments":{"desired_access":"0x80000100","key_handle":"0x00000000","regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.583626},{"api":"NtOpenKey","arguments":{"desired_access":"0x80000100","key_handle":"0x00000000","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\ieframe.dll"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00703000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"FindFirstFileExW","arguments":{"filepath":"C:\\Windows\\SysWOW64\\*.*","filepath_r":"C:\\Windows\\SysWOW64\\*.*"},"category":"file","flags":{},"return_value":7331824,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00705000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00707000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00708000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00709000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0070c000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0070d000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0070e000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00710000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00711000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00712000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00713000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00714000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00715000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00716000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00717000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00718000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00719000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0071a000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0071d000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0071e000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0071f000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00720000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00721000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00722000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00724000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryDirectoryFile","arguments":{"dirpath":"C:\\Windows\\SysWOW64","file_handle":"0x00000160","information_class":3},"category":"file","flags":{"information_class":"FileBothDirectoryInformation"},"last_error":1008,"nt_status":-1073741772,"return_value":2147483654,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.583626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"SetErrorMode","arguments":{"mode":1},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS"},"return_value":32773,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtQueryAttributesFile","arguments":{"filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll"},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.583626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateSection","arguments":{"desired_access":"0x00000007","file_handle":"0x00000160","object_handle":"0x00000000","protection":2,"section_handle":"0x00000164","section_name":""},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x71cb0000","buffer":"","commit_size":0,"process_handle":"0xffffffff","process_identifier":2976,"section_handle":"0x00000164","section_offset":0,"view_size":13701120,"win32_protect":4},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000164"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"SetErrorMode","arguments":{"mode":32773},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX"},"return_value":5,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020019","key_handle":"0x00000160","regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CMF\\Config"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000160","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CMF\\Config\\SYSTEM","value":0},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":0,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateSection","arguments":{"desired_access":"0x000f0005","file_handle":"0x00000160","object_handle":"0x00000000","protection":8,"section_handle":"0x00000164","section_name":""},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x02b50000","buffer":"","commit_size":0,"process_handle":"0xffffffff","process_identifier":2976,"section_handle":"0x00000164","section_offset":0,"view_size":1900544,"win32_protect":8},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_WRITECOPY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000164"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x02b50000","process_handle":"0xffffffff","process_identifier":2976,"region_size":1900544},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x71cb0000","process_handle":"0xffffffff","process_identifier":2976,"region_size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"SetErrorMode","arguments":{"mode":1},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS"},"return_value":32773,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00726000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryAttributesFile","arguments":{"filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll"},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateSection","arguments":{"desired_access":"0x00000007","file_handle":"0x00000160","object_handle":"0x00000000","protection":2,"section_handle":"0x00000164","section_name":""},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x729d0000","buffer":"","commit_size":0,"process_handle":"0xffffffff","process_identifier":2976,"section_handle":"0x00000164","section_offset":0,"view_size":13701120,"win32_protect":4},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000164"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"SetErrorMode","arguments":{"mode":32773},"category":"system","flags":{"mode":"SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX"},"return_value":5,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":0,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateSection","arguments":{"desired_access":"0x000f0005","file_handle":"0x00000160","object_handle":"0x00000000","protection":8,"section_handle":"0x00000164","section_name":""},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x02b50000","buffer":"","commit_size":0,"process_handle":"0xffffffff","process_identifier":2976,"section_handle":"0x00000164","section_offset":0,"view_size":1900544,"win32_protect":8},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_WRITECOPY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000164"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x02b50000","process_handle":"0xffffffff","process_identifier":2976,"region_size":1900544},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x729d0000","process_handle":"0xffffffff","process_identifier":2976,"region_size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0x80100080","file_attributes":128,"file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll","share_access":1,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"FILE_ATTRIBUTE_NORMAL","share_access":"FILE_SHARE_READ","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryInformationFile","arguments":{"file_handle":"0x00000160","information_class":5},"category":"file","flags":{"information_class":"FileStandardInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateSection","arguments":{"desired_access":"0x00000005","file_handle":"0x00000160","object_handle":"0x00000000","protection":2,"section_handle":"0x00000164","section_name":""},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x71cb0000","buffer":"","commit_size":0,"process_handle":"0xffffffff","process_identifier":2976,"section_handle":"0x00000164","section_offset":0,"view_size":13701120,"win32_protect":2},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0x80100080","file_attributes":128,"file_handle":"0x00000168","filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll","share_access":1,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"FILE_ATTRIBUTE_NORMAL","share_access":"FILE_SHARE_READ","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"SetFilePointerEx","arguments":{"file_handle":"0x00000168","move_method":2,"offset":13679616},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"SetFilePointer","arguments":{"file_handle":"0x00000168","move_method":2,"offset":4294966272},"category":"file","flags":{},"return_value":13678592,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtReadFile","arguments":{"buffer":"t2|2\u00842\u008c2\u00902\u00982\u009c2\u00a02\u00a42\u00a82\u00ac2\u00b02\u00b42\u00bc2\u00c02\u00c42\u00c82\u00cc2\u00d42\u00d82\u00e02\u00e42\u00e82\u00ec2\u00f42\u00f82\u00fc2\u00003\u00043\b3\f3\u00103\u00183\u001c3 3$3(3,3034383<3@3D3L3P3T3X3\\3`3d3h3l3p3t3x3|3\u00803\u00843\u00883\u008c3\u00903\u00943\u00983\u009c3\u00a03\u00a43\u00a83\u00ac3\u00b03\u00b43\u00b83\u00bc3\u00c03\u00c43\u00c83\u00cc3\u00d03\u00d43\u00d83\u00dc3\u00e03\u00e43\u00e83\u00ec3\u00f03\u00f43\u00f83\u00fc3\u00004\u00044\b4\f4\u00104\u00144\u00184\u001c4 4$4(4,4044484<4@4D4H4L4P4T4X4\\4`4d4h4l4p4t4x4|4\u00804\u00844\u00884\u008c4\u00904\u00944\u00984\u009c4\u00a04\u00a44\u00a84\u00ac4\u00b04\u00b84\u00bc4\u00c04\u00c44\u00c84\u00cc4\u00d04\u00d44\u00d84\u00dc4\u00e04\u00e84\u00ec4\u00f04\u00f44\u00f84\u00005\u00045\b5\f5\u00105\u00145\u00185\u001c5 5$5(5054585<5@5D5H5L5P5T5X5\\5`5d5h5l5p5t5x5|5\u00805\u00845\u00885\u008c5\u00905\u00945\u00985\u009c5\u00a05\u00a45\u00ac5\u00b05\u00b45\u00b85\u00bc5\u00c05\u00c45\u00c85\u00cc5\u00d05\u00d45\u00d85\u00dc5\u00e05\u00e45\u00e85\u00ec5\u00f05\u00f45\u00f85\u00fc5\u00006\u00046\b6\f6\u00106\u00146\u00186\u001c6 6$6(6,6064686<6@6D6H6L6P6T6X6\\6`6d6h6l6p6t6x6|6\u00806\u00846\u00886\u008c6\u00906\u00946\u00986\u009c6\u00a06\u00a46\u00a86\u00ac6\u00b06\u00b46\u00b86\u00bc6\u00c06\u00c46\u00c86\u00cc6\u00d46\u00dc6\u00e06\u00e86\u00ec6\u00f06\u00f46\u00f86\u00fc6\u00007\u00047\b7\f7\u00107\u00147\u00187\u001c7 7$7(7,7074787<7@7D7H7L7P7T7X7\\7`7d7h7l7p7t7x7|7\u00807\u00847\u00887\u008c7\u00907\u00947\u00987\u009c7\u00a07\u00a47\u00a87\u00ac7\u00b07\u00b47\u00b87\u00bc7\u00c07\u00c47\u00c87\u00cc7\u00d07\u00d47\u00d87\u00dc7\u00e07\u00e47\u00e87\u00ec7\u00f07\u00f47\u00f87\u00fc7\u00008\u00048\b8\f8\u00108\u00148\u00188\u001c8 8$8(8,8084888<8@8D8H8L8P8T8X8\\8`8d8h8l8p8t8x8|8\u00808\u00848\u00888\u008c8\u00948\u009c8\u00a08\u00a48\u00ac8\u00b48\u00b88\u00bc8\u00c08\u00c48\u00c88\u00cc8\u00d08\u00d48\u00dc8\u00e48\u00e88\u00ec8\u00f08\u00f48\u00f88\u00009\u00049\b9\f9\u00109\u00149\u00189\u001c9 9$9(9,9094989<9@9D9H9L9P9T9X9\\9`9d9h9l9p9t9|9\u00809\u00849\u00889\u008c9\u00909\u00949\u00989\u009c9\u00a09\u00a49\u00a89\u00b09\u00b49\u00bc9\u00c49\u00c89\u00d09\u00d89\u00dc9\u00e09\u00e89\u00ec9\u00f09\u00f49\u00f89\u00fc9\u0000:\u0004:\f:\u0010:\u0014:\u0018: :$:(:0:8:<:D:L:P:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","file_handle":"0x00000168","length":1024,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000168"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x71cb0000","process_handle":"0xffffffff","process_identifier":2976,"region_size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000164"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0070c000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":12288},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00708000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":8192},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00716000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":8192},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00712000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":8192},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0071e000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"SetErrorMode","arguments":{"mode":6},"category":"system","flags":{"mode":"SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOGPFAULTERRORBOX"},"return_value":32773,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":96,"desired_access":"0x00100080","file_attributes":128,"file_handle":"0x00000160","filepath":"C:\\Windows\\SysWOW64\\ieframe.dll","filepath_r":"\\??\\C:\\Windows\\SysWOW64\\ieframe.dll","share_access":7,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"FILE_ATTRIBUTE_NORMAL","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x02760000","process_handle":"0xffffffff","process_identifier":2976,"region_size":4083712},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0071e000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000154","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000156"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000154","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":3,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF","value":"\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00fba\u00f4\u0094wy\u00d3\u0001"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020119","key_handle":"0x00000154","regkey":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000154","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.599626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020119","key_handle":"0x0000015c","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000015c","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPEnable","value":1},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000015c","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPSampledIn","value":0},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x00000154"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"NtClose","arguments":{"handle":"0x0000015c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75919c5b","function_name":"CoCreateInstance","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.599626},{"api":"CoCreateInstance","arguments":{"class_context":1025,"clsid":"{871c5380-42a0-1069-a2ea-08002b30309d}","iid":"{000214e6-0000-0000-c000-000000000046}"},"category":"ole","flags":{"clsid":"Internet_Explorer","iid":"IShellFolder"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{871C5380-42A0-1069-A2EA-08002B30309D}"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741515,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000002","key_handle":"0x00000194","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","regkey_r":"Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x00000194","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","regkey_r":"CreateUriCacheSize","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000001","key_handle":"0x00000198","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","regkey_r":"Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x00000198","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","regkey_r":"CreateUriCacheSize","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000001","key_handle":"0x0000019c","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","regkey_r":"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x0000019c","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","regkey_r":"CreateUriCacheSize","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000002","key_handle":"0x000001a0","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","regkey_r":"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001a0","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","regkey_r":"CreateUriCacheSize","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x00000194","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","regkey_r":"EnablePunycode","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x00000198","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","regkey_r":"EnablePunycode","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x0000019c","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","regkey_r":"EnablePunycode","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001a0","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","regkey_r":"EnablePunycode","value":1},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x000001a4","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001a4","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001a4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl","regkey_r":"Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00000001","base_handle":"0x80000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl","regkey_r":"Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x000001a4","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl","regkey_r":"Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00000001","base_handle":"0x80000001","key_handle":"0x000001a8","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl","regkey_r":"Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00000001","base_handle":"0x000001a8","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562","regkey_r":"FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00000001","base_handle":"0x000001a4","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562","regkey_r":"FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"KERNEL32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f407f","function_name":"AcquireSRWLockExclusive","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f4039","function_name":"ReleaseSRWLockExclusive","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrLoadDll","arguments":{"basename":"api-ms-win-downlevel-ole32-l1-1-0","flags":0,"module_address":"0x772e0000","module_name":"api-ms-win-downlevel-ole32-l1-1-0.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7591e9fc","function_name":"CoTaskMemAlloc","module":"api-ms-win-downlevel-ole32-l1-1-0","module_address":"0x772e0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":8,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_WRITECOPY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00926000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":16384,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":8192,"base_address":"0x02760000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":1048576,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x02760000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":73728,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"KERNEL32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f407f","function_name":"AcquireSRWLockExclusive","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f4039","function_name":"ReleaseSRWLockExclusive","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrLoadDll","arguments":{"basename":"api-ms-win-downlevel-advapi32-l1-1-0","flags":0,"module_address":"0x76ca0000","module_name":"api-ms-win-downlevel-advapi32-l1-1-0.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a028d7","function_name":"RegisterTraceGuidsW","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":8,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_WRITECOPY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e2427c","function_name":"OpenThreadToken","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24254","function_name":"OpenProcessToken","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24036","function_name":"AllocateAndInitializeSid","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1de84","function_name":"CheckTokenMembership","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e2407e","function_name":"FreeSid","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"GetNativeSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0092a000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":24576,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"KERNEL32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f407f","function_name":"AcquireSRWLockExclusive","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779f4039","function_name":"ReleaseSRWLockExclusive","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x756ef000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrLoadDll","arguments":{"basename":"ADVAPI32","flags":0,"module_address":"0x75e10000","module_name":"ADVAPI32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a28f8b","function_name":"RegisterTraceGuidsA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x756ef000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":8,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_WRITECOPY"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x756ef000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a9b11a","function_name":"EventSetInformation","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x756ef000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741700,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"LdrLoadDll","arguments":{"basename":"urlmon","flags":0,"module_address":"0x75600000","module_name":"urlmon.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75624610","function_name":"IsValidURL","module":"urlmon","module_address":"0x75600000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtOpenProcess","arguments":{"desired_access":"0x00000400","process_handle":"0x000001c8","process_identifier":2976},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001cc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001cc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtOpenProcess","arguments":{"desired_access":"0x00000400","process_handle":"0x000001cc","process_identifier":2976},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001cc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"GlobalMemoryStatusEx","arguments":{},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":0,"desired_access":"0x00100080","file_attributes":0,"file_handle":"0x000001c8","filepath":"\\??\\C:","filepath_r":"\\??\\C:","share_access":7,"status_info":0},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE","status_info":"FILE_SUPERSEDED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtDeviceIoControlFile","arguments":{"control_code":5636096,"file_handle":"0x000001c8","input_buffer":"","output_buffer":"\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u00a0\u00f9\u0018\u0000\u0000\u0000"},"category":"file","flags":{"control_code":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001c8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000001","key_handle":"0x000001c8","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main","regkey_r":"Software\\Microsoft\\Internet Explorer\\Main"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001c8","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow","regkey_r":"FrameTabWindow","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000002","key_handle":"0x000001cc","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main","regkey_r":"Software\\Microsoft\\Internet Explorer\\Main"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001cc","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameTabWindow","regkey_r":"FrameTabWindow","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001c8","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameMerging","regkey_r":"FrameMerging","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001cc","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameMerging","regkey_r":"FrameMerging","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001c8","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\SessionMerging","regkey_r":"SessionMerging","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001cc","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\SessionMerging","regkey_r":"SessionMerging","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001c8","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs","regkey_r":"AdminTabProcs","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001cc","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\AdminTabProcs","regkey_r":"AdminTabProcs","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001d0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtClose","arguments":{"handle":"0x000001d0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000002","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main","regkey_r":"Software\\Policies\\Microsoft\\Internet Explorer\\Main"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegOpenKeyExW","arguments":{"access":"0x00020019","base_handle":"0x80000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main","regkey_r":"Software\\Policies\\Microsoft\\Internet Explorer\\Main"},"category":"registry","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001c8","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth","regkey_r":"TabProcGrowth","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001cc","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth","regkey_r":"TabProcGrowth","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001c8","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth","regkey_r":"TabProcGrowth","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x000001cc","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth","regkey_r":"TabProcGrowth","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrLoadDll","arguments":{"basename":"api-ms-win-downlevel-shlwapi-l2-1-0","flags":0,"module_address":"0x73f80000","module_name":"api-ms-win-downlevel-shlwapi-l2-1-0.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7731a0b7","function_name":"SHStrDupW","module":"api-ms-win-downlevel-shlwapi-l2-1-0","module_address":"0x73f80000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75926f61","function_name":"CoTaskMemFree","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrLoadDll","arguments":{"basename":"PROPSYS","flags":0,"module_address":"0x74190000","module_name":"PROPSYS.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7419bf2c","function_name":"PSCreateMemoryPropertyStore","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x741da581","function_name":"PSCreateAdapterFromPropertyStore","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"CoCreateInstance","arguments":{"class_context":1,"clsid":"{76765b11-3f95-4af2-ac9d-ea55d8994f1a}","iid":"{00000000-0000-0000-c000-000000000046}"},"category":"ole","flags":{"clsid":"Property_System_Both_Class_Factory","iid":"IID_IUnknown"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"EXPLORER.EXE","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"EXPLORER.EXE","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x741be0a5","function_name":"PropVariantToBSTR","module":"PROPSYS","module_address":"0x74190000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75913cb9","function_name":"PropVariantClear","module":"api-ms-win-downlevel-ole32-l1-1-0","module_address":"0x772e0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75926f61","function_name":"CoTaskMemFree","module":"api-ms-win-downlevel-ole32-l1-1-0","module_address":"0x772e0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7731b141","function_name":"IUnknown_Set","module":"api-ms-win-downlevel-shlwapi-l2-1-0","module_address":"0x73f80000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x73046000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LoadStringW","arguments":{"id":10240,"module_handle":"0x729d0000","string":"Ou&vrir"},"category":"ui","flags":{},"return_value":7,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x760eb659","function_name":"","module":"Shell32","module_address":"0x76050000","ordinal":102},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\http\\OpenWithProgids"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":-1073741515,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d4","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x000001d8","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001d8","key_name":"","reg_type":1,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\Progid","value":"FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001d8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001d4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d4","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001d6"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000","information_class":3,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000fa","regkey":"HKEY_CURRENT_USER"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d4","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000","information_class":3,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\CurVer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x00000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\FirefoxURL-308046B0AF4A39CB\\CurVer"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000","information_class":3,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d8","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\(Default)"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001d6"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000","information_class":3,"key_handle":"0x000001da","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001da","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d4","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\(Default)"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001da"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000","information_class":3,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000001d8","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001d6","key_name":"","reg_type":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001da","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001da"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000","information_class":3,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d8","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000\\\u0000s\u0000h\u0000e\u0000l\u0000l\u0000","information_class":3,"key_handle":"0x000001da","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001da","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000001dc","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001da","key_name":"","reg_type":1,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\(Default)","value":"open"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.646626},{"api":"NtClose","arguments":{"handle":"0x000001de"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryKey","arguments":{"buffer":"\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000\\\u0000s\u0000h\u0000e\u0000l\u0000l\u0000","information_class":3,"key_handle":"0x000001da","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001da","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001dc","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryKey","arguments":{"buffer":"\u00d8\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000\\\u0000s\u0000h\u0000e\u0000l\u0000l\u0000\\\u0000o\u0000p\u0000e\u0000n\u0000","information_class":3,"key_handle":"0x000001de","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001de","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000001e0","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell\\open"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001de","key_name":"","reg_type":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000001e2","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2576,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x000001e2"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x000001da"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryKey","arguments":{"buffer":"\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000","information_class":3,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0004\u0000\u0000","information_class":7,"key_handle":"0x000001d6","regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000001d8","options":0,"regkey":"HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\(Default)"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x000001d6"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x000001de"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.661626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LoadStringW","arguments":{"id":4,"module_handle":"0x76ed0000","string":"M\u00e9moire insuffisante"},"category":"ui","flags":{},"return_value":20,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000020c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrLoadDll","arguments":{"basename":"API-MS-Win-Core-LocalRegistry-L1-1-0","flags":0,"module_address":"0x757c0000","module_name":"API-MS-Win-Core-LocalRegistry-L1-1-0.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1eee","function_name":"RegQueryValueExW","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000020c","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Setup\\SourcePath","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x0000020c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000020c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000020c","key_name":"","reg_type":2,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath","value":"%SystemRoot%\\inf"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_EXPAND_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x0000020c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtCreateMutant","arguments":{"desired_access":"0x001f0001","initial_owner":0,"mutant_handle":"0x00000210","mutant_name":""},"category":"synchronisation","flags":{"desired_access":"STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtCreateMutant","arguments":{"desired_access":"0x001f0001","initial_owner":0,"mutant_handle":"0x00000218","mutant_name":""},"category":"synchronisation","flags":{"desired_access":"STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetNativeSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetSystemWindowsDirectoryW","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x0000021c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrLoadDll","arguments":{"basename":"SETUPAPI","flags":0,"module_address":"0x76ed0000","module_name":"SETUPAPI.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77075ff7","function_name":"CM_Get_Device_Interface_List_Size_ExW","module":"SETUPAPI","module_address":"0x76ed0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtDuplicateObject","arguments":{"desired_access":"0x00000000","handle_attributes":0,"options":2,"source_handle":"0xfffffffe","source_process_handle":"0xffffffff","source_process_identifier":2976,"target_handle":"0x000001f0","target_process_handle":"0xffffffff","target_process_identifier":2976},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00708000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77075480","function_name":"CM_Get_Device_Interface_List_ExW","module":"SETUPAPI","module_address":"0x76ed0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtDuplicateObject","arguments":{"desired_access":"0x00000000","handle_attributes":0,"options":2,"source_handle":"0x00000220","source_process_handle":"0xffffffff","source_process_identifier":2976,"target_handle":"0x00000224","target_process_handle":"0xffffffff","target_process_identifier":2976},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumeNameForVolumeMountPointW","arguments":{"volume_mount_point":"\\\\?\\IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#5&394c0ad3&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\","volume_name":"\\\\?\\Volume{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":1252,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000220","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":1252,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000224","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000224","key_name":"","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Data","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":2147483653,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000224","key_name":"","reg_type":3,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Data","value":"\u0000\u0000\u0000\u0000\r\u00f0\u00ad\u00ba\u0001\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0001\u0000\u0000\u0080\u00bd\u00ad\u00db\u00ba\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00bd\u00ad\u00db\u00ba\u00bd\u00ad\u00db\u00ba\u00bd\u00ad\u00db\u00ba\u00bd\u00ad\u00db\u00ba\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000I\u0000D\u0000E\u0000#\u0000C\u0000d\u0000R\u0000o\u0000m\u0000V\u0000B\u0000O\u0000X\u0000_\u0000C\u0000D\u0000-\u0000R\u0000O\u0000M\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u00001\u0000.\u00000\u0000_\u0000_\u0000_\u0000_\u0000_\u0000#\u00005\u0000&\u00003\u00009\u00004\u0000c\u00000\u0000a\u0000d\u00003\u0000&\u00000\u0000&\u00000\u0000.\u00000\u0000.\u00000\u0000#\u0000{\u00005\u00003\u0000f\u00005\u00006\u00003\u00000\u0000d\u0000-\u0000b\u00006\u0000b\u0000f\u0000-\u00001\u00001\u0000d\u00000\u0000-\u00009\u00004\u0000f\u00002\u0000-\u00000\u00000\u0000a\u00000\u0000c\u00009\u00001\u0000e\u0000f\u0000b\u00008\u0000b\u0000}\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000{\u00005\u00009\u00000\u00004\u0000e\u0000f\u00001\u00003\u0000-\u00002\u0000a\u00002\u00004\u0000-\u00001\u00001\u0000e\u0000a\u0000-\u0000b\u00004\u00007\u0000b\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u0000\u0000"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000224","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000220","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000220","key_name":"","reg_type":4,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Generation","value":1},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtDuplicateObject","arguments":{"desired_access":"0x00000000","handle_attributes":0,"options":2,"source_handle":"0x00000220","source_process_handle":"0xffffffff","source_process_identifier":2976,"target_handle":"0x00000224","target_process_handle":"0xffffffff","target_process_identifier":2976},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumeNameForVolumeMountPointW","arguments":{"volume_mount_point":"\\\\?\\STORAGE#Volume#{6fb977c0-2a1f-11ea-848b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\","volume_name":"\\\\?\\Volume{3ebd2744-e569-11e7-b382-806e6f6e6963}\\"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":1252,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000224","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000220","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000220","key_name":"","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Data","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":2147483653,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000220","key_name":"","reg_type":3,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Data","value":"\u0000\u0000\u0000\u0000\r\u00f0\u00ad\u00ba\u0001\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u0000\u00e7\u0003\u00ff\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0004i\u00ad\u00ae\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000S\u0000T\u0000O\u0000R\u0000A\u0000G\u0000E\u0000#\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000#\u0000{\u00006\u0000f\u0000b\u00009\u00007\u00007\u0000c\u00000\u0000-\u00002\u0000a\u00001\u0000f\u0000-\u00001\u00001\u0000e\u0000a\u0000-\u00008\u00004\u00008\u0000b\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000#\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00001\u00000\u00000\u00000\u00000\u00000\u0000#\u0000{\u00005\u00003\u0000f\u00005\u00006\u00003\u00000\u0000d\u0000-\u0000b\u00006\u0000b\u0000f\u0000-\u00001\u00001\u0000d\u00000\u0000-\u00009\u00004\u0000f\u00002\u0000-\u00000\u00000\u0000a\u00000\u0000c\u00009\u00001\u0000e\u0000f\u0000b\u00008\u0000b\u0000}\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000{\u00003\u0000e\u0000b\u0000d\u00002\u00007\u00004\u00004\u0000-\u0000e\u00005\u00006\u00009\u0000-\u00001\u00001\u0000e\u00007\u0000-\u0000b\u00003\u00008\u00002\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000\\\u0000\u0000\u0000R\u0000\u00e9\u0000s\u0000e\u0000r\u0000v\u0000\u00e9\u0000 \u0000a\u0000u\u0000 \u0000s\u0000y\u0000s\u0000t\u0000\u00e8\u0000m\u0000e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000N\u0000T\u0000F\u0000S\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u0000\u0000"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000220","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000224","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000224","key_name":"","reg_type":4,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Generation","value":1},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtDuplicateObject","arguments":{"desired_access":"0x00000000","handle_attributes":0,"options":2,"source_handle":"0x00000224","source_process_handle":"0xffffffff","source_process_identifier":2976,"target_handle":"0x00000220","target_process_handle":"0xffffffff","target_process_identifier":2976},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumeNameForVolumeMountPointW","arguments":{"volume_mount_point":"\\\\?\\STORAGE#Volume#{6fb977c0-2a1f-11ea-848b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\","volume_name":"\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":1252,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000220","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000224","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000224","key_name":"","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Data","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":2147483653,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000224","key_name":"","reg_type":3,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Data","value":"\u0000\u0000\u0000\u0000\r\u00f0\u00ad\u00baA\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u0000\u00e7\u0003\u00ff\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u00e0\u009d\u00b2\u0010\u0004@\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000S\u0000T\u0000O\u0000R\u0000A\u0000G\u0000E\u0000#\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000#\u0000{\u00006\u0000f\u0000b\u00009\u00007\u00007\u0000c\u00000\u0000-\u00002\u0000a\u00001\u0000f\u0000-\u00001\u00001\u0000e\u0000a\u0000-\u00008\u00004\u00008\u0000b\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000#\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00006\u00005\u00000\u00000\u00000\u00000\u00000\u0000#\u0000{\u00005\u00003\u0000f\u00005\u00006\u00003\u00000\u0000d\u0000-\u0000b\u00006\u0000b\u0000f\u0000-\u00001\u00001\u0000d\u00000\u0000-\u00009\u00004\u0000f\u00002\u0000-\u00000\u00000\u0000a\u00000\u0000c\u00009\u00001\u0000e\u0000f\u0000b\u00008\u0000b\u0000}\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000{\u00003\u0000e\u0000b\u0000d\u00002\u00007\u00004\u00005\u0000-\u0000e\u00005\u00006\u00009\u0000-\u00001\u00001\u0000e\u00007\u0000-\u0000b\u00003\u00008\u00002\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000N\u0000T\u0000F\u0000S\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u0000\u0000"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000224","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000220","options":0,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000224"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000220","key_name":"","reg_type":4,"regkey":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Generation","value":1},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\","volume_path_name":""},"category":"file","flags":{},"last_error":234,"nt_status":-2147483643,"return_value":0,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\","volume_path_name":"C:\\"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\","volume_path_name":""},"category":"file","flags":{},"last_error":234,"nt_status":-2147483643,"return_value":0,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\","volume_path_name":"D:\\"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{3ebd2744-e569-11e7-b382-806e6f6e6963}\\","volume_path_name":""},"category":"file","flags":{},"last_error":234,"nt_status":-2147483643,"return_value":0,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{3ebd2744-e569-11e7-b382-806e6f6e6963}\\","volume_path_name":""},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\","volume_path_name":""},"category":"file","flags":{},"last_error":234,"nt_status":-2147483643,"return_value":0,"stacktrace":[],"status":0,"tid":2920,"time":1606943649.661626},{"api":"GetVolumePathNamesForVolumeNameW","arguments":{"volume_name":"\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\","volume_path_name":"C:\\"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"NtClose","arguments":{"handle":"0x00000220"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x7401e5a5","function_name":"","module":"comctl32","module_address":"0x73ff0000","ordinal":386},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"LdrUnloadDll","arguments":{"library":"Shell32","module_address":"0x76050000"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2920,"time":1606943649.661626},{"api":"CreateProcessInternalW","arguments":{"command_line":"\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"","creation_flags":67634192,"current_directory":"C:\\Users\\mes-vms\\AppData\\Local\\Temp","filepath":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","filepath_r":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","inherit_handles":0,"process_handle":"0x000001e0","process_identifier":1952,"stack_pivoted":0,"thread_handle":"0x000001ec","thread_identifier":2524,"track":1},"category":"process","flags":{"creation_flags":"CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT"},"return_value":1,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"ShellExecuteExW","arguments":{"filepath":"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974","filepath_r":"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974","parameters":"","show_type":10},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"RegCloseKey","arguments":{"key_handle":"0x000001da"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x758eead9","function_name":"OleUninitialize","module":"Ole32","module_address":"0x758d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"ShellExecuteExW","arguments":{"filepath":"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974","filepath_r":"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974","parameters":"","show_type":10},"category":"process","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2628,"time":1606943649.677626},{"api":"CoUninitialize","arguments":{},"category":"ole","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"LdrUnloadDll","arguments":{"library":"Shell32","module_address":"0x76050000"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"NtClose","arguments":{"handle":"0x0000011c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"NtClose","arguments":{"handle":"0x00000120"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.677626},{"api":"NtDelayExecution","arguments":{"milliseconds":3000,"skipped":0},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"CreateThread","arguments":{"flags":0,"function_address":"0x75b712e5","parameter":"0x00922640","stack_size":262144,"thread_identifier":3020},"category":"process","flags":{},"return_value":292,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x02570000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":704512,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":3020,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":8192,"base_address":"0x10000000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":753664,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x10000000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":753664,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x10000000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x10001000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x1000b000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":704512,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x100b7000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrLoadDll","arguments":{"basename":"KERNEL32","flags":0,"module_address":"0x757c0000","module_name":"KERNEL32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d4977","function_name":"LoadLibraryA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1222","function_name":"GetProcAddress","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d42ff","function_name":"VirtualProtect","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1826","function_name":"VirtualAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d183e","function_name":"VirtualFree","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrLoadDll","arguments":{"basename":"msvcrt","flags":0,"module_address":"0x75b60000","module_name":"msvcrt.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69894","function_name":"free","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x10001000","heap_dep_bypass":1,"length":40960,"process_handle":"0xffffffff","process_identifier":2976,"protection":64,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x1000b000","heap_dep_bypass":1,"length":704512,"process_handle":"0xffffffff","process_identifier":2976,"protection":64,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x100b7000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},{"api":"LdrLoadDll","arguments":{"basename":"KERNEL32","flags":0,"module_address":"0x757c0000","module_name":"KERNEL32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d4977","function_name":"LoadLibraryA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1245","function_name":"GetModuleHandleA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d17d9","function_name":"GetCurrentProcess","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1454","function_name":"InterlockedCompareExchange","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1432","function_name":"InterlockedExchange","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1222","function_name":"GetProcAddress","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d11f8","function_name":"GetCurrentProcessId","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d11c0","function_name":"GetLastError","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757ed7ea","function_name":"TerminateProcess","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d10ff","function_name":"Sleep","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1420","function_name":"GetCurrentThreadId","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d110c","function_name":"GetTickCount","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d16f5","function_name":"QueryPerformanceCounter","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d8769","function_name":"SetUnhandledExceptionFilter","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f770f","function_name":"UnhandledExceptionFilter","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757fd1f3","function_name":"RtlUnwind","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757fb2af","function_name":"OutputDebugStringA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d34a9","function_name":"GetSystemTimeAsFileTime","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrLoadDll","arguments":{"basename":"msvcrt","flags":0,"module_address":"0x75b60000","module_name":"msvcrt.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6de4a","function_name":"strstr","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6dbae","function_name":"strrchr","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b9031d","function_name":"_time64","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69894","function_name":"free","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69cee","function_name":"malloc","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb57a5","function_name":"?what@exception@@UBEPBDXZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b714e3","function_name":"??1exception@@UAE@XZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b714f9","function_name":"??0exception@@QAE@XZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb56cd","function_name":"??0exception@@QAE@ABV0@@Z","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b7132e","function_name":"_beginthreadex","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b83557","function_name":"_CxxThrowException","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bbbf99","function_name":"_callnewh","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69790","function_name":"memset","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b69910","function_name":"memcpy","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6a42d","function_name":"_unlock","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f509","function_name":"__dllonexit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6a449","function_name":"_lock","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b7112d","function_name":"_onexit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb92bb","function_name":"??1type_info@@UAE@XZ","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b8dc75","function_name":"_XcptFilter","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6c151","function_name":"_initterm","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bcb30f","function_name":"_amsg_exit","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f76e","function_name":"isleadbyte","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c02900","function_name":"_iob","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b8fa7c","function_name":"_snprintf","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b84218","function_name":"_itoa","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75bb22bf","function_name":"wctomb","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c03210","function_name":"__badioinfo","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75c00500","function_name":"__pioinfo","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6ac15","function_name":"_fileno","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b74303","function_name":"_lseeki64","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b74078","function_name":"_write","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6f383","function_name":"_isatty","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b7ca0b","function_name":"_strlwr","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b6a5b8","function_name":"_errno","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75b83495","function_name":"__CxxFrameHandler","module":"msvcrt","module_address":"0x75b60000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x10000000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x10000000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x02570000","free_type":32768,"process_handle":"0xffffffff","process_identifier":2976,"size":704512},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"Kernel32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d13e0","function_name":"CloseHandle","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d5366","function_name":"CreateFileA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1072","function_name":"CreateProcessA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f733f","function_name":"CreateToolhelp32Snapshot","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d53e4","function_name":"DeleteFileA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757e107d","function_name":"GetNativeSystemInfo","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f2754","function_name":"GetTempPathA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779ee0c6","function_name":"HeapAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1499","function_name":"HeapFree","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x779fc7ac","function_name":"HeapReAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75856459","function_name":"Module32First","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75856542","function_name":"Module32Next","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757fccf1","function_name":"MoveFileExA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1956","function_name":"OpenProcess","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f8ad3","function_name":"Process32First","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f882a","function_name":"Process32Next","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757eecbb","function_name":"SetFileAttributesA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1136","function_name":"WaitForSingleObject","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1282","function_name":"WriteFile","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d1826","function_name":"VirtualAlloc","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757d183e","function_name":"VirtualFree","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x75e10000","module_name":"Advapi32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e240de","function_name":"AdjustTokenPrivileges","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e53384","function_name":"ChangeServiceConfig2A","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e533a4","function_name":"ChangeServiceConfigA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e235e4","function_name":"CloseServiceHandle","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e53414","function_name":"CreateServiceA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e23f9a","function_name":"LookupPrivilegeValueA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24254","function_name":"OpenProcessToken","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e22b20","function_name":"OpenSCManagerA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e22b38","function_name":"OpenServiceA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1790c","function_name":"QueryServiceStatusEx","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e245ed","function_name":"RegCloseKey","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e213b1","function_name":"RegCreateKeyExA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e2485b","function_name":"RegOpenKeyExA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e24843","function_name":"RegQueryValueExA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e1b254","function_name":"RegSetKeySecurity","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e213fb","function_name":"RegSetValueExA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x75e537ff","function_name":"StartServiceA","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"OpenSCManagerA","arguments":{"database_name":"","desired_access":983103,"machine_name":""},"category":"services","flags":{},"return_value":7204320,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.630626},{"api":"OpenServiceA","arguments":{"desired_access":5,"service_handle":"0x00000000","service_manager_handle":"0x006dede0","service_name":"WindowsClientServerRunTimeSubsystem"},"category":"services","flags":{},"last_error":1060,"nt_status":0,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.630626},{"api":"CreateServiceA","arguments":{"desired_access":983551,"display_name":"Windows Client Server Runtime Subsystem","error_control":0,"filepath":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\%SystemRoot%\\system32\\svchost.exe -k Wcsrss","filepath_r":"%SystemRoot%\\system32\\svchost.exe -k Wcsrss","password":"","service_handle":"0x006deca0","service_manager_handle":"0x006dede0","service_name":"WindowsClientServerRunTimeSubsystem","service_start_name":"","service_type":16,"start_type":2},"category":"services","flags":{},"return_value":7204000,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\Select","regkey_r":"SYSTEM\\Select"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current","regkey_r":"Current","value":1},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\LastKnownGood","regkey_r":"LastKnownGood","value":2},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCreateKeyExA","arguments":{"access":"0x00000006","base_handle":"0x80000002","class":"","disposition":0,"key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Description","regkey_r":"Description","value":"This service manages client to server coordination in the local system."},"category":"registry","flags":{"reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\DisplayName","regkey_r":"DisplayName","value":"Windows Client Server Runtime Subsystem"},"category":"registry","flags":{"reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":2,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ImagePath","regkey_r":"ImagePath","value":"%SystemRoot%\\system32\\svchost.exe -k Wcsrss\u0000\u0000"},"category":"registry","flags":{"reg_type":"REG_EXPAND_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ObjectName","regkey_r":"ObjectName","value":"LocalSystem"},"category":"registry","flags":{"reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ErrorControl","regkey_r":"ErrorControl","value":0},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"GetNativeSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\WOW64","regkey_r":"WOW64","value":1},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Start","regkey_r":"Start","value":2},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Type","regkey_r":"Type","value":16},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000001","base_handle":"0x80000002","key_handle":"0x0000011c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x0000011c","reg_type":3,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","regkey_r":"FailureActions","value":"<INVALID POINTER>"},"category":"registry","flags":{"reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegQueryValueExA","arguments":{"key_handle":"0x0000011c","reg_type":3,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","regkey_r":"FailureActions","value":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000"},"category":"registry","flags":{"reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":3,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","regkey_r":"FailureActions","value":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000"},"category":"registry","flags":{"reg_type":"REG_BINARY"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000011c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCreateKeyExA","arguments":{"access":"0x40000000","base_handle":"0x00000120","class":"","disposition":1,"key_handle":"0x0000011c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","regkey_r":"Parameters"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x0000011c","reg_type":2,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","regkey_r":"ServiceDll","value":"%SystemRoot%\\csrss.dll\u0000\u0000"},"category":"registry","flags":{"reg_type":"REG_EXPAND_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000011c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000006","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\WOW64","regkey_r":"WOW64","value":1},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCreateKeyExA","arguments":{"access":"0x40000000","base_handle":"0x00000120","class":"","disposition":1,"key_handle":"0x0000011c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","regkey_r":"Parameters"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x0000011c","reg_type":2,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","regkey_r":"ServiceDll","value":"%SystemRoot%\\csrss.dll"},"category":"registry","flags":{"reg_type":"REG_EXPAND_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000011c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000006","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\WOW64","regkey_r":"WOW64","value":1},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCreateKeyExA","arguments":{"access":"0x40000000","base_handle":"0x00000120","class":"","disposition":2,"key_handle":"0x0000011c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","regkey_r":"Parameters"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x0000011c","reg_type":2,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","regkey_r":"ServiceDll","value":"%SystemRoot%\\csrss.dll"},"category":"registry","flags":{"reg_type":"REG_EXPAND_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000011c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00000002","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost","regkey_r":"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegSetValueExA","arguments":{"key_handle":"0x00000120","reg_type":7,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\Wcsrss","regkey_r":"Wcsrss","value":"WindowsClientServerRunTimeSubsystem\u0000\u0000"},"category":"registry","flags":{"reg_type":"REG_MULTI_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeSecurityPrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"NtClose","arguments":{"handle":"0x00000120"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeRestorePrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"NtClose","arguments":{"handle":"0x00000120"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeTakeOwnershipPrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"NtClose","arguments":{"handle":"0x00000120"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x01040000","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00080000","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x01040000","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegOpenKeyExA","arguments":{"access":"0x00080000","base_handle":"0x80000002","key_handle":"0x00000120","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem","regkey_r":"SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000120"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"kernel32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f9796","function_name":"GetSystemWindowsDirectoryA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"GetSystemWindowsDirectoryA","arguments":{"dirpath":"\u0000GetSystemW"},"category":"file","flags":{},"return_value":11,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"GetSystemWindowsDirectoryA","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"SetFileAttributesW","arguments":{"file_attributes":128,"filepath":"c:\\Windows\\csrss.exe","filepath_r":"c:\\windows\\csrss.exe"},"category":"file","flags":{"file_attributes":"FILE_ATTRIBUTE_NORMAL"},"last_error":2,"nt_status":-1073741772,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.646626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x757c0000","module_name":"kernel32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x757f9796","function_name":"GetSystemWindowsDirectoryA","module":"kernel32","module_address":"0x757c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"GetSystemWindowsDirectoryA","arguments":{"dirpath":"\u0000GetSystemW"},"category":"file","flags":{},"return_value":11,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"GetSystemWindowsDirectoryA","arguments":{"dirpath":"C:\\Windows"},"category":"file","flags":{},"return_value":10,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"SetFileAttributesW","arguments":{"file_attributes":128,"filepath":"c:\\Windows\\csrss.dll","filepath_r":"c:\\windows\\csrss.dll"},"category":"file","flags":{"file_attributes":"FILE_ATTRIBUTE_NORMAL"},"last_error":2,"nt_status":-1073741772,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.646626},{"api":"NtCreateFile","arguments":{"create_disposition":5,"create_options":96,"desired_access":"0x40100080","file_attributes":6,"file_handle":"0x00000120","filepath":"c:\\Windows\\csrss.dll","filepath_r":"\\??\\c:\\windows\\csrss.dll","share_access":1,"status_info":2},"category":"file","flags":{"create_disposition":"FILE_OVERWRITE_IF","create_options":"FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE","file_attributes":"FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM","share_access":"FILE_SHARE_READ","status_info":"FILE_CREATED"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"CreateThread","arguments":{"flags":0,"function_address":"0x75b712e5","parameter":"0x00922640","stack_size":0,"thread_identifier":1980},"category":"process","flags":{},"return_value":284,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x02570000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":671744,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":1980,"time":1606943652.646626},{"api":"NtWriteFile","arguments":{"buffer":"MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0001\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u007fP\u00ea\u00f0;1\u0084\u00a3;1\u0084\u00a3;1\u0084\u00a3(9\u00ed\u00a391\u0084\u00a32I\u0011\u00a3=1\u0084\u00a32I\u0017\u00a391\u0084\u00a32I\u0007\u00a3\u00061\u0084\u00a3%c\u0000\u00a381\u0084\u00a3\u00f8>\u00d9\u00a3>1\u0084\u00a3;1\u0085\u00a3D1\u0084\u00a32I\u0000\u00a3*1\u0084\u00a3\u001c\u00f7\u00fa\u00a3:1\u0084\u00a3 \u00ac+\u00a341\u0084\u00a3 \u00ac\u001f\u00a3:1\u0084\u00a3 \u00ac\u0019\u00a3:1\u0084\u00a3Rich;1\u0084\u00a3\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0003\u0000\u001f\u00e7}8\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0002!\u000b\u0001\n\u0000\u0000@\n\u0000\u0000\u0010\u0000\u0000\u0000\u00a0\u0000\u0000\u00b0\u00d8\n\u0000\u0000\u00b0\u0000\u0000\u0000\u00f0\n\u0000\u0000\u0000\u0000\u0010\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000b\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000@\u0001\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u00c8\u00f0\n\u0000\u0084\u0000\u0000\u0000\u0000\u00f0\n\u0000\u00c8\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000L\u00f1\n\u0000\u0018\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a0\u00e4\n\u0000H\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000<t\n\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000UPX0\u0000\u0000\u0000\u0000\u0000\u00a0\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000\u00e0UPX1\u0000\u0000\u0000\u0000\u0000@\n\u0000\u0000\u00b0\u0000\u0000\u00006\n\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0UPX2\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u00f0\n\u0000\u0000\u0002\u0000\u0000\u0000:\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00003.91\u0000UPX!\r\t\u000e\nhX\u00d7\u00e7\u00f5p\u00f9\u00ae\u00e0\u00bc\n\u0000\u00a3(\n\u0000\u0000\u0086\n\u0000I\u0001\u0000:\u001a\u0003\u00004\u0000,\b\u00d1\u00fb\u0088\u00edfs\u0090\u00de?\u0015\u00b7\u00f0\u008e\u0016\u00fc\u00cd\u000eB3\u000f-j\u00a6\u00c4\u00ec\u00bc\u0006\u00fa\\7\u00fbA\u008c\u0099\u0016\u0094\u00dfG\u0005\u0095\u00e2\u00d4o4E\u008e\u00fd\u0016r\u00d8 H\u00e8\u00a2\u00ea*\u001e\u00dd.\"\u000e\u0088\u0085\u00131\u00ef\u00b6\u0001j|\u00bd\u00a2\u00a9\u00be\u00d6\u00ba{3\u0018\f\u00a9\u00f4\u00c5\u00e3\u00d8\u00cf\u00b5+\u0011\u0097\u00e9\u0016\u0082u\u00d5\r\u0090>\u00ae$\u00e4\u0084f!\u00ecP\u00b3\u00b3\u00dao \u0086\u0099@\u00de8'\u00a6c\u00f0\f\u008c\u00a5\u00d4\u001fr\u0087\u00b7-+x\u008aF\u00aa\f\u00a0\u00cbz<\u00ca7\u0003\u00bf\u00f0Fs&s\u00bfJ\u0000J\u0094N\u00d1\u00df\u00bc\u00a1\u0093\u00d5\u0094<\u0094\u00a3'>&\u0014Oa`\u0012C\u0013\u008b\u0087\u0006\u00cf\u00aa\u00fe8c\u00dbQ\u00ad\u009a-%B:G\u00ef\u0083\u00b9F\u00fd\u0080\u0017Z\u00a7Ko\u00a5\u0084\u00f0v\u0094\u00c1\u0017\u00c4\u0015X\u00b8L\u00b11\u0087\u00dd'X'\u00cd:\u00bb\\O\t\u00e9\u0083\u00ea\u00b9\u008a\u00ae\u00dc\u00be\u0018$wQ@{\u00a4\u00e2\u0098\u0019@\u0015\u00b7r\u00f3\u00f3\u00ae\u00b9\"uj\u00a4i\u00fe\u00817:\u00c7\u007f=p\u00f6\u0001\u00f5qK\u00ecx\u00aa\u00fcsR\u0017y\u001f\u00b0\u00ff\u00c7!\u0094\u00c6\u00e2\u00e0\u0014l\u0012\u00da\u0000v\u001b\u000b\u0015R!T\u008dG\u00ff\u00c319\u0093\u00c5n\u0013\u00a9\u00d5l\u008e\u008e\u0086U[\u0086\u00f1\f\u00b8\u0016\u00aeN\u0006 -\u00ef\u00a8\u00ea\u000fi\u00cd?\u00bc\u001a\u00b7F]\u001e\u00e1\u00e1\u00e2\u00a8\u00f7E\u00e3\u00c53\u00b9b\u0012\u00cf\u00f4J\u009f\u0013]\u00c6.\u00ffc\u0013\u008cAn2\u0007\u0088\u00e1\u00f4n!0\u00e10z\u00ab\f\u0001/\u00a2\u0087bu\u00b6\u00d3WN\u00c9\u008b\u00d8\u001f7Qh\u00e2\u000bk\u00e8VS])\u0007\u00e6H\u0004\u00a4\u0014p\u00a6\u00b3P\u00b7\u00cb\u00f0O\u0001\u00e6M\u007fL\u00a4-\u0019\u0012\u001eN\u009e\fa\u00c25\u0002\u00e4=e\u00e8\u00deJ\u001aM\u00e8;,\u00e2@26M&J\u00d7\u00b7\u00d6\u0085\u009f\u00bb\u00b0\u0098\u00b8c\u001d\u00a1E\u00e3\u00dfW\u00e5yP\u00e3\u00ec\u00fc\u007fu\u0004\u00bc`)\u00eb\u00f8\u00a8\u0093^\u0088\u00ac\u00bc!\u00f3\u0019\f\u0011P8ZI\u00e4/U\u00ef\u0099\t\u00c0\u00e4v\u0001\u0086JU\u00a8\u00f6Y\u0090\u0084\u0016+\u00ebZ\u00a7'^Z{\u00ed\u001eT\u00d4\u0083\u0081\u00d0\u00ec\u00d2\u0098\u00aaL\u00c9\u00aa\u0083X\u00cfT\t'\u00c7\u00d9\u0013[\u0093F\u00be/\u00e3\u00c4\u00d85\u00beR\u00a1\u00ec\u00c3\u0019wEu\u00bb\u00b4(\u00d0\u00a0\u0095_\u00d0u\u00fd\u00f5\u001e\u00c1\u0003eX\u00bd\u00925\u0003\u0089\u00c5\u00aa9\u0007P\u008c\u0015\u00e8\u00ea\u00a8U-\u0010\u00c2\u00c3\u001c\u00c3\u00a3\u00df\u00ef\u0014\u009c*\u0001u\u0001\u00e0\u00b3wd\u0012\u00f5]'\u0002\u00f0\u00bbV\"\u009e\u009d\u00e6\u009b\u0012\u0019\u0013<:]\u001c\u00c4\u00cf\u00d9\u00ed\u00d1j\u0081\u0003\u00adZ&`$\u009f\u00b2*\u00a10\u00f3\u00d97\u00b7\u00bc\u00f9\f\u0014+M\u0011l\u00b32\u00d4\u0010\u00c9V\u00ce\u00f2\u00abO\u00caNx\u008b\u00ac1A\u00e9OxQ\u00df\u0016\u00af\u00c7O*\u00df\u00e1\u0080\u00fa\u0098\u0096(2&\u00a4\u00b0\u00f102\\\u0019\u0013li\u00eax\u008c\\C\u0094\u00ef\u00a8\u00a4\u00b1b|r\u00b9\u00f9\u00aa7\u00c9)\u00c5m\u00e6\u00a9\u00c9c\u0010\u00fbj\u00f5\u009d\u00b9\n\u00e4\u001a\u00f6\u0019\u00ae\u0091\u00a5\u00ef{R\u00e4\u00b7J\u00c7-\u0089\u00b3\u00b4pq\u00ddw\u00b68\u00ea\u009a\u0087k\u008ck\"X\u00bcoAwU\u00f6x\u0007[/\u00da\u00f5s\u00a0\b\u0090\u00d3\u0003\u00de\u0086\u00c1\u0084\u00c7\u00010\\\u00db\u009a\u00c1F{W;\u0006n\u00b4\f\u0012\u00fb\u00c0d\u00f3\u0018\u00e0ho\u00d3\u00ceA\u00b8\u0098\u00b7\u001c\u00ca\u008a2`.\u00f2\u00d0;\u0095/\u0015Q\u009eX\u009d|\u00eb\u0018Fs\u00f8\u00aa;\u00ae\u001c\u0011K\u00f9\u000f\u007f+\rM\u001f`\u009a\u00e2#\u00ca\u00b1\u00d3\u0094#\u0003^\u00ae\u00ce\u00f4e\u0090\u00b2\u00e6y\u0011\u00151\u00c3\n\u0011\u00ac\u008a\u00d4\u00ccM\u001bdd\u0082t\u0013\u00f5@\u00ddB\u0083Z\u001bs8F\u00b53\u00e4\u0017\u00ff\u00ab\u00c0-\u00d3!\u0088\u001cb\u001f\u001c_\u0089I|Q\u00b2\u0092\u00ddI*\u008f\u00af\u000e\u001f\u008f\u00ff8\u009c\u00d6\u00dc\u00b1\u0087l\u00c8\u007f\u0089p\u0099Ot\u00bf4\u00a5C\u00e9\u00a9p\u0089\u00ee\u0017\u0013\"\u0018M\u00e4\u00d4HC\u0015H\u00f6lj\u0017v;5\u00d1\u008e:\u001e_\u00ca\u00f2\u0093c\u00ff\u0014\u00d3\u00acf\u00e7\u00c5-\u0018\u00d3\u0097\u0002P\u00ef\u00a5^\u0098\u000ec\u00fb\u0083R\u00efF|\u00adix(\u00d2B\u00ed\u00a4\u00d0\u00b7\u00d0\u00bf\u0089^6\u0011\u009c\u0087\u00f15\u0016~k\u001bD\u0097\u0014\u0015\u00ab7\u0088\u00b5\u00f5\u008f\u00e1\u0080T>\u00de\u008d\u00e6+\u00e0x/\u009f\u009f\u0083'\"\u00e6_|\u00ef\u00c2\u0080\u00b7M('\u00b1\u0003\u001e\u0081\r\u00e6\u008f@CG\u00c3^2\u00a9\\\u00d3!\u00dd2$f\u008d\u00ca.\u00871k\u00f7\\.\u00a9rY\u00b7\u0097i\u00e1E\u0084\u008dVb{\u0095*^x\u009eQ\u00e0(\u00f6\u0015b%_\u0096KNs\r\u0091\u0097\u00ef\u00eb}/\u00d5L\u00c5c\u0081U\u0018e&+\u00f60\u00de\u0095$\u00fd /\u00e3\u0085\u0088)/\u00d1c\u00c2\u00a2PEi=qY\u00c8\u008f\f\u00a0\u0082\u0084\u00c3\u00cb\nj\u00b0)r\u00f2\u0092\u00fd\u00f3\u00de\f\u00a0Y\u00e3d0S\u00f1b\u008a\u00c6\u008c\u00c3\u00cf\u00b9M\u0086\u00d63(K<\u00d8a[8\u0016\u00dc+Ja\u00ff\u00d4\"\u0003.AT\u0011f\u00c4\u00afsS\u008b\u00e4C*\u00bc\u00fe\u00bb\u00a1\u001a\u0087_p9U?\u00da}R\u00cc\u009a\u008cr\no\u0084\u00a3\n\u0090\u00e1\u00ad\r\u001dwk\u0000\u00e5_|)\u0083V>\u00ac\u0081N\u00e8\u00ca\u000e\u008f\u00b3\u00d6l\u00fcl1\u001b\u0011\u00c5\u0013\u0007s\u00fd\u00e0z\u00b2\u00ee\u001c5=\u00b5.;\u00ee\u00b1\u001d\u0098\u008d\u00f5_\u00f9\u0087&\u009e?.\u0087\u00d1\u00e5\u0091\u00fb\u0096g\u001fcu;\u00fe\u00fev\u0018PUGe\u00c6\u008f+\u0081\u00b8>\u00d3\u009a\u00a8\u007f\u00bfGD\u00c0\u00ed\u00af\u00bb\u00f0Y\u0005\u00b9\u0016\u009d_\u0080\u00c6j^\u00f8x\u00d8h\u0017|b\u00c7?\u0086!\u0082M\u00afj\u00c7\u00d0\u00e9b\u0007\u00eb\u00b3]\u009e\u009cK\u00d9\b%\u0097\u00d5\u00b5\u00df\u00af\u00e4\u0095\u00f1z\u00e7\u0099\u00b1]\u00fae%\u00e1\u00a3\u0011=}]lA[a \u009c\u00a5\u00cd\u00ab\u00f1 \u00e2\u009b\u0001\u00df\u001a;tm\u00e9~\u0085\u00a2\u00f1\u009f\u00f91\u00d8\u00d2\u00d9\u001a\f\u009aC\u00b0R\u0084|f\u000f\u0099\u00bd\u00e3\u00ef\u00da\u001bA\u00f2\u00ed\u00e5\u0015B\u0011u\u00ae\u00ae\u00ae\u00f2\u00f1a@.>\u0013\u0098\u00ffy)\u009e\u0001\u00a8^\"\u00df\u00e13\u00d6\tl\u00e59X\u00ac\u0096\u0090\u00df\u0013\u0084\u00db\u008eX\u00dd\u00c2\u00f8\u00edr,\u00ea[&\u00e6A\u00cb0\u0006\u00a5\u00c1$\u00a2B\u0002?z\u00e7\u00c7\u0013\u00c1C!\u009d\u00d9\rRU\u0019\u009c-\u00b6\u00bfDs\u00a0\u0093YE\u00c4\u00f6\u00e8T,f\u00cf4\u000b\u00f4\u00b5\u00fb\u00ce\u0002a\u00a8\u009bS\u0097\u001b\u00cb9:\u00e2\u00bf\u0089\u00fcG\u00b0sssyNx\u00f7\u0088u\u00c8\u00cc\u00d2\u00f7\u0092\u00d2\u00b3\u009e\u009a\u00f2c\u00ff\fl\u0099\u0011\u00f0\u00ed~hY)\u00bfr\u00d9\u0006\u00ac\u00daU\u0004\u00d0o\u00f0H\u00fd\u0003\u0010k\u0002S]k_o\u009c\u0087\u001a\u00c0\u00e0\u00f4E\u00a5\u00bd\u00b6D\u000e\u00ee\u00f9*\u0081+L4\u00058\u00c1\u00db9i\u008f\u00b9R}\u00c1\u00c8\u00a1\u0081\u00b0r\u0003z`H\u00d9\u00ca\u00f7}0\u00b2+Y\u00bd\u00dd\u008at\u009e\u001d\u00fd@\u00b7\u00de\u0082\u00c7\u00fe\u0000 \u00edb\u00a0>f\u00c9\u00eb&DGD\u0083i\u00cf9O\u001b\u001d\u0004&|g\u00d1\u00bb\u00dc\u00b5>b0p\u00d6A\u0083\u00ea\u009a\u00a4\u0092)\u008e&\u00ca8w\u00d9-\u00aerz\u0003\u0018\u00d7\u009e\"\u0013v\u00e6c=\u009c0\u00c4:\u00b5\u0089|\u0093q.\u0017\u00f2\u0000\u00c6\u00a9`\u00e0-\u0017\u00c32\u000e\u0016\u00d8t\u00cd\u00c0=\u001a\u00b0\u0093\u0081\u00c5e\u00c0\u00d5x\u00e3\u0019\u00839\u0015\u00c0\u001f\u0005\u00b0\u00d4\u00d5\u0097\u00ec\u00c7\u00af\rIknKK\u0083Wo\u008c:\t`\u00ae\u00db\u00f2j*\u009b]\u009b\u00c8\u008c\u0018(C+\u00cc/\u00cd\u0016\u0083S,\u00d5\u00f3c\u0018\u0007c9\u0002\u0011\u00eb\u00d7/9(\r\u00acU_\u001a\u00db\u00904r\u0000R\u00f2\u0019+\u00f8\u00ee\u0016\u00f2\u001d\u00e0\u0097\u00c2*]\u00d9sv\u001b\u0096\u0099\u009a\u0095\u00c6\u00df]\u00a5\u00a1R\u0017}\u00882\u0016~3a$\u00d8\u00dd\u00f8\u00ed\f\u00edO\u0088\u00ebx\u00f2\u00ce\u00bds\u00d5\u00ba5\u00e5\u00ba\u00c6\u0016!\b\u00de\u00e0\u00b0\u00ce\u00fb\u00e9\u00e4\u00a1\u00f9\u0012\u00a0\u0091\u00e1\u00aa\u0018}\u00f5\u0018 \u00c4\u00fc1\u00f1ti\r\u00b1w\u00830\u008f\u00a8\u0086\u00e10P\u00e4\u0088\u00dc\u00c0.,-\u008f^\u00b8/\u0013\u00ee\u0094!y\u00c3\u00d2\u008e\u00ab\u00ff7L\u00ef\u00c7\u00af\u0014\u00d0\u00e8\u00f0u\u00de\u0092`\u0007a\u0091v\u00c2\u00a64\u0098\u00c9y\u008e\u00cf\u00bf4^\u00908\u00dd>Hm\u00c2\u00a2\u0091K\u0004;}\u0006\u0095+>.\u0012E\u00d7[\u0095\u00ea&\u00e9\u0004\u00b4\u00c3\u00ba'\u001f\u00a5A\u00edQ-n\u00ee\u0098d\u00a6\u00b9vd\u00e1\u0082\u008f\u00daC\u00f6&m\u00b9\u00ff\u00e5\u00ea:\u00ca\u001e]\u00cf8V\u00fe\u0019\u00a3\u0096\u00ccv\u00d3\u00e4\b,\u00e1\u009dM\u0094l\u00146&\u001bH4d\\K\u00b6A\u00ff\u001d\b\u0097>\u00b3\u0001\u0087\u00a0{\u0017qr\u00f9\u0007HY\f\u00db\u00df\u00e2\u009e\u00aa(/a7M\u00d7H\u0007\u00cb\u00c3Yo\u0081;L\u009b7\u00be\u00fc\u009c<\u00ec\u00cb\u00fa\u00d3<>n\u00d8.L\u000ej\u0097D&\u00a4C`H\u0085\u00b0?1\nR>\u0010\u00daVstoUbO:\u00dd\u001a\u009a\u00b3%HA\u00ce\u0014\u00a9O\u00b7\u00d6\u00b6\u00da71\u00b0v\b.\u00e3g\u00b4\u001c\u00bar\u00f43\u009dl\u009d\u00a3\u00d1\u00d5\u00c5\u0004C\\\u0083 ft\u00d9E\u0083U,%\u00c5P\u0084\u00e5E\t\u00ec\u000e\u0004\u00e0$\u00a9\u00ac\r7\u00a0\u00e1\u00b7jg\u0086\u00978 t>\u00d7\r\u0081\u00d1\u00ac\u008c\u00c33[}\u00c5\u00d2\u00fa\u00cbNb\u00e4U><o\u00af~\u00fdWhAK{^\u001aq\t\u0082G\u0013\u0004\u00b6\u000b\u00e5\u00f5<\u00ff\u00a39cV\u009d \u00de\u00e9\u00d2?\u0097\u00dca\u001fA=\u0000]\u00d98@\u00b8\u00e5\u000e\u00e7\u00ffZ\u0002\u00d5\u00f3A\u0004kw\u0091\u00eb\u00a0\u008b\u0012X\u00ccr\u00c2 \u001d\u00adv\u00d3 \u00eeWL\u00ee\u00b8\u00d3P\u0081\u0083\u00fb\u00b7\u00fa\u00a5\u00a1\u00cd\u00ab'~`/}\u0010\u00f3\u001f}\u00a3-;\u0086\u00f8\u00b8\u00d1rGF\u00ad\u00b5\u0010\u00b46\u00a2\u0000\u00b4\u00ef\u00f3\u00f3\u00a1\u00eb\u009c?\\\u008fl\u0001\u0099(\u00a1\u00ec\u00c0\u00df\u00fe\u00e4kh|\u0094\u00e1`|\u0081\u00cf_\u0013K\u009f\u0085g\u00b9l\u00ca\u001d\u00dd3\u0002\u00b1\u00d3\u0081\u007f\u00f2d\u001d\u00c3\u001d\u00cc\u0095ob\u00d5\u0001\u0098\u00a3d7\u00a7\u00cb\u0093\u0093\u0005o\u00b6\u00a7\u0096\u00e1\u00c5\u0091\u007f\u0090:\u00d2\u00dfX\u0092\u00e2\u0018\u00b6\u00c2$d\u00ce\u00ea\u00b8p\u00a0\u009d\u00aa\u0003\u00ec\u001bi\u00eeU\u00ae\u00b51\u0002N`Fa\u0092\u001a_\u00ad\u00b2.\u00d4<\u00cfs\u007fx\u00ceA>\u00a9\u00c8D\u000bu\u0081\u009f\u00b6\u0093\u0088\u00c1\u00fb\u00bb\u00b5\u00df6\u0089\u00b7\u00a7\u00ec&A\u0018\u00ab\u0094\u0019\u00e2\u0095\u00b6(\u008f\u00d4d\u00e0\u00bd@\u00b7\u00e8\u0081\u00f0|K\u00a5n\fG\u0096\u00b9l\u00cbK_\u00c8\u00cd\u0080{\u00f3\u00c6\u009dk\u009a\u00ce\u00d3\u009b\u00a4\t$\u007f|k\u00df\u00e7t\f\u0012\u00b4'\u0088\u00c1\u00ba\u00b3\u00cbGw\u0002\u00a1\u00c3\u00acE\u0090\u00e6\u00af\u00cb\u00bf\u00beW\u009d\u009d\u00fa\u00e5\u00e4\u00b3d.\bl\u0011\u0085\u00d4\u00afo\u00d2\u0015\u00d4\u008a\u0015\u00fb\u00d0\u0086R}o\u00fe7\u00faZ\u00a1^\u00d8`/n\u00c0\u0002\u008c\u00ea\u00e3\u00f5\u009f\u00d3E\u0012\u001b\u0098\u00ecIT\u00f1-\u00af\u00ca\u0090\u00c8\u00c0-z\u00f5\u00be\u00f7\u0087\u00af\u00f1Q\u0017\u00aa\u00f3(\u000f\u00e2\u008fp\u00a9\u00e5w2\\!qlQ\u0094B\u00c3:\u00e6\u008c\u0019\u008a\u00fb\u00fe\u0093\u00e0M\u00c8o\u0007;\u00d61\u00e2\u00ee\u00a4H\u00d0\u00ca\u0012Nb\u00bb\u00f8\u00c9R\u0092\u00da\u0083B9\u00d8\u00a6u\u00b7\u00ea\u0086\u0017\u00b1\u00cd)ss\u00b5Y\u00af\u0019'\u00ab\u00f6<7\u00a4^\u00ae\u00eel\u00b8y\n\u0014\u00cf\u00ecsk\u00af\u00fa\u0082J\u00bd\u001f\u008c7rd%\u00d1%9`\u0087g#\u001d\u0098\u0082i\u00f3\u00c3W\u0084q\u00e1\u00ec\u00cb+\u00d6\u0085\u008c\u00f6q\u00e2\u0091\u00f6\u001du\u001f\u00fc\u00e1\u00a8]\u0081\u00d2\u00eac#\u00d6\u0095}|\u008d\u00cd\u00db\u00aaEy\u00f1\u0098]\u00bf\u00c5\u001d\u008da\u00c8\u0012\u008e\u00a8\u0080]\u00fe>\u00910Sqo\u00fbC\u00913i\n\u00b2\th_\u0086b\u00b2\u0012\u00dfX\u001c\u0018\u0006\u0007d?\u00cb\u0013\f>\u0019C\u000bI\u00132'\u00db]9\u0082\u0088\u0097\u0080\u00ff\u0005\u00c6|w\u0003\u00e6\u000euE\u0000\u00ab<8\u008d\u00a5\u0094\u00ac\u00e7\u00ceo#\u00eazz\u00eb\u00e3\u00f2W\u00dbb\u0080\u009a\u00aa\u0014_\u00d1\u00ee\u001f\u0014\u00d2g\u00d85\u00d4\u00fc\u00ccIV\u0091\u0098\u00fe\u00edqC=\u00e6\u000er\u00ce\u00a3\u0014\u0018\u00e5|\u00b2o\u00d5\u00ac\u001f@\u0007\u00ad\u001bca\u008c\u0013\u00d2\u00da\u009c\u00fc\u008bp}mQ\u00e1\u008f\u00e7\u00f2\u00c5\u00f5\u00ac\u00e4$g\u00b7\u00bf\u0001m\u00d8\u00fa\u0006V\u00a0\u00990\u0083\u00ba\u00df\u009c\u00b5\u001cn^6\u00d9v\u00fc\u00aa\u00fc\u00aeP\u00be1\u00c5\u00d7 \u0084\u00e4@\\D-\u000b\u00ac\u00cf\u00d4i/\u001b7#\u00bbxo\u00b6I\u0012\u00d7P\u00e9\u00c0\u00dfL\rn\u00bf\u0081\u0083\u0000\u00a1\u00f1\u00b7\u00b9\u00ca\u00a5\u00f3%[\u009f\u00b4\u0018\u00d9\u00de\u0010","file_handle":"0x00000120","filepath":"C:\\Windows\\csrss.dll","offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"NtClose","arguments":{"handle":"0x00000120"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x02570000","free_type":32768,"process_handle":"0xffffffff","process_identifier":2976,"size":671744},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"OpenServiceA","arguments":{"desired_access":16,"service_handle":"0x006deca0","service_manager_handle":"0x006dede0","service_name":"WindowsClientServerRunTimeSubsystem"},"category":"services","flags":{},"return_value":7204000,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},{"api":"StartServiceA","arguments":{"arguments":[],"service_handle":"0x006deca0","service_name":"WindowsClientServerRunTimeSubsystem"},"category":"services","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000140"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x742d36a0","function_name":"CryptReleaseContext","module":"CRYPTSP","module_address":"0x742d0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"mscoree.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x00000000","module_name":"mscoree.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741772,"return_value":3221225781,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626},{"api":"NtTerminateProcess","arguments":{"process_handle":"0x00000000","process_identifier":0,"status_code":"0x00000000"},"category":"process","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626},{"api":"NtTerminateProcess","arguments":{"process_handle":"0x00000000","process_identifier":0,"status_code":"0x00000000"},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000210"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000020c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000218"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000214"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000204"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000200"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001c0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001c4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000000"},"category":"system","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":3221225480,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000000"},"category":"system","flags":{},"last_error":6,"nt_status":-1073741816,"return_value":3221225480,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a191e2","function_name":"UnregisterTraceGuids","module":"api-ms-win-downlevel-advapi32-l1-1-0","module_address":"0x76ca0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x7552e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001bc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001b8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001b0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001b4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000001ac"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000174"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000194"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000198"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000019c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x000001a0"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x000001c8"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x000001cc"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x000001a4"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"RegCloseKey","arguments":{"key_handle":"0x000001a8"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000160"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x00660000","process_handle":"0xffffffff","process_identifier":2976,"region_size":28672},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000170"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000016c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00670000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00670000","free_type":32768,"process_handle":"0xffffffff","process_identifier":2976,"size":65536},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x00610000","process_handle":"0xffffffff","process_identifier":2976,"region_size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000164"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x004d0000","process_handle":"0xffffffff","process_identifier":2976,"region_size":8192},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000150"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000014c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000013c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrUnloadDll","arguments":{"library":"PROPSYS","module_address":"0x74190000"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x77a191e2","function_name":"UnregisterTraceGuids","module":"advapi32","module_address":"0x75e10000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000138"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000114"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000128"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00727000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":65536},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0071e000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":16384},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x006f8000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":12288},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00709000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00712000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":8192},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0071a000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x00702000","free_type":16384,"process_handle":"0xffffffff","process_identifier":2976,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000084"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000050"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x740212b3","function_name":"","module":"comctl32","module_address":"0x73ff0000","ordinal":321},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00702000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x00712000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0071a000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000007c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000070"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000074"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000078"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000080"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x00380000","process_handle":"0xffffffff","process_identifier":2976,"region_size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000108"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000158"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000006c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000068"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"LdrUnloadDll","arguments":{"library":"IMM32","module_address":"0x75f10000"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020019","key_handle":"0x00000068","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000068","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741816,"return_value":3221225524,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000068"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000040"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000044"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x000000b8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x00000038"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtClose","arguments":{"handle":"0x0000003c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.661626},{"api":"NtTerminateProcess","arguments":{"process_handle":"0xffffffff","process_identifier":2976,"status_code":"0x00000000"},"category":"process","flags":{},"last_error":0,"nt_status":-1073741816,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943652.661626}],"command_line":"\"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe\" ","first_seen":1606943648.427626,"modules":[{"baseaddr":"0x3c0000","basename":"Win32.DarkTequila.exe","filepath":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe","imgsize":933888},{"baseaddr":"0x779c0000","basename":"ntdll.dll","filepath":"C:\\Windows\\SysWOW64\\ntdll.dll","imgsize":1572864},{"baseaddr":"0x757c0000","basename":"kernel32.dll","filepath":"C:\\Windows\\syswow64\\kernel32.dll","imgsize":1114112},{"baseaddr":"0x75c10000","basename":"KERNELBASE.dll","filepath":"C:\\Windows\\syswow64\\KERNELBASE.dll","imgsize":290816},{"baseaddr":"0x75b60000","basename":"msvcrt.dll","filepath":"C:\\Windows\\syswow64\\msvcrt.dll","imgsize":704512},{"baseaddr":"0x742f0000","basename":"monitor-x86.dll","filepath":"C:\\tmpcaygsr\\bin\\monitor-x86.dll","imgsize":2117632}],"pid":2976,"ppid":3028,"process_name":"Win32.DarkTequila.exe","process_path":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe","tid":2868,"time":0,"track":true,"type":"process"},{"calls":[{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x000007fef4e70000","module_name":"api-ms-win-core-synch-l1-2-0.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x0000000077814320","function_name":"InitializeConditionVariable","module":"api-ms-win-core-synch-l1-2-0","module_address":"0x000007fef4e70000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000000007760b6d0","function_name":"SleepConditionVariableCS","module":"api-ms-win-core-synch-l1-2-0","module_address":"0x000007fef4e70000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x00000000777feea0","function_name":"WakeAllConditionVariable","module":"api-ms-win-core-synch-l1-2-0","module_address":"0x000007fef4e70000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"SetUnhandledExceptionFilter","arguments":{},"category":"exception","flags":{},"last_error":0,"nt_status":-1073741515,"return_value":0,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.38402},{"api":"GetSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x0000000000e50000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":1048576,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0000000000e50000","free_type":32768,"process_handle":"0xffffffffffffffff","process_identifier":1952,"size":1048576},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x0000000000e50000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":2093056,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0000000000e50000","free_type":32768,"process_handle":"0xffffffffffffffff","process_identifier":1952,"size":2093056},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x0000000000f00000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":1048576,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0000000000f01000","free_type":16384,"process_handle":"0xffffffffffffffff","process_identifier":1952,"size":1044480},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x0000000001000000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":1048576,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0000000001002000","free_type":16384,"process_handle":"0xffffffffffffffff","process_identifier":1952,"size":1040384},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000001002000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000001003000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000001004000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000001006000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":57344,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000001014000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtOpenProcess","arguments":{"desired_access":"0x00001000","process_handle":"0x0000000000000050","process_identifier":2976},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.38402},{"api":"NtOpenFile","arguments":{"desired_access":"0x00100080","file_handle":"0x0000000000000054","filepath":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe","filepath_r":"\\Device\\HarddiskVolume2\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe","open_options":16416,"share_access":7,"status_info":1},"category":"file","flags":{"desired_access":"FILE_READ_ATTRIBUTES","open_options":"FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"GetFileInformationByHandle","arguments":{"file_handle":"0x0000000000000054"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"NtClose","arguments":{"handle":"0x0000000000000054"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":16416,"desired_access":"0x00100080","file_attributes":0,"file_handle":"0x0000000000000054","filepath":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","filepath_r":"\\??\\C:\\Program Files\\Mozilla Firefox\\firefox.exe","share_access":7,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"GetFileInformationByHandle","arguments":{"file_handle":"0x0000000000000054"},"category":"file","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"NtClose","arguments":{"handle":"0x0000000000000054"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"NtClose","arguments":{"handle":"0x0000000000000050"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"RegCreateKeyExW","arguments":{"access":"0x000f003f","base_handle":"0xffffffff80000001","class":"","disposition":2,"key_handle":"0x0000000000000054","options":0,"regkey":"HKEY_CURRENT_USER\\SOFTWARE\\Mozilla\\Firefox\\Launcher","regkey_r":"SOFTWARE\\Mozilla\\Firefox\\Launcher"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x0000000000000054","reg_type":4,"regkey":"HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Image","regkey_r":"C:\\Program Files\\Mozilla Firefox\\firefox.exe|Image","value":1579293992},"category":"registry","flags":{"reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.40002},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x0000000000000054","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Launcher","regkey_r":"C:\\Program Files\\Mozilla Firefox\\firefox.exe|Launcher","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.40002},{"api":"RegQueryValueExW","arguments":{"key_handle":"0x0000000000000054","reg_type":0,"regkey":"HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Browser","regkey_r":"C:\\Program Files\\Mozilla Firefox\\firefox.exe|Browser","value":""},"category":"registry","flags":{"reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741772,"return_value":2,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.40002},{"api":"NtOpenProcess","arguments":{"desired_access":"0x00001000","process_handle":"0x0000000000000058","process_identifier":2976},"category":"process","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.41502},{"api":"NtClose","arguments":{"handle":"0x0000000000000058"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.41502},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000001015000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":65536,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.41502},{"api":"NtClose","arguments":{"handle":"0x0000000000000058"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.41502},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.41502},{"api":"NtQuerySystemInformation","arguments":{"information_class":0},"category":"system","flags":{"information_class":"SystemBasicInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.43102},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x000000007790e000","heap_dep_bypass":0,"length":4096,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":2,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.43102},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.43102},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x0000000000000000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741823,"return_value":-1073741515,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.43102},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x0000000000000000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1073741823,"return_value":-1073741515,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.43102},{"api":"LdrLoadDll","arguments":{"basename":"IMM32","flags":0,"module_address":"0x000007feff1f0000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x000007feff1f0000","module_name":"C:\\Windows\\system32\\IMM32.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000000","regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Error Message Instrument\\"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":126,"nt_status":-1073741515,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.44702},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000005c","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000005c","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":126,"nt_status":-1073741515,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.44702},{"api":"NtClose","arguments":{"handle":"0x000000000000005c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x000007feff340000","module_name":"LPK.DLL","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff346ab0","function_name":"LpkTabbedTextOut","module":"LPK","module_address":"0x000007feff340000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff345300","function_name":"LpkPSMTextOut","module":"LPK","module_address":"0x000007feff340000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff341460","function_name":"LpkDrawTextEx","module":"LPK","module_address":"0x000007feff340000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff34a050","function_name":"LpkEditControl","module":"LPK","module_address":"0x000007feff340000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtClose","arguments":{"handle":"0x0000000000000070"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtClose","arguments":{"handle":"0x000000000000006c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000006c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000006c","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\Windows\\LoadAppInit_DLLs","value":0},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000006c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrLoadDll","arguments":{"basename":"gdi32","flags":0,"module_address":"0x000007fefdf40000","module_name":"gdi32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefdf458f0","function_name":"GetCharABCWidthsI","module":"GDI32","module_address":"0x000007fefdf40000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000006c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000006c","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":5,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.44702},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000006c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000006c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000006c","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":5,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.44702},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000006c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"GetSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x000007feff660000","module_name":"rpcrt4.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff6ae660","function_name":"I_RpcInitNdrImports","module":"RPCRT4","module_address":"0x000007feff660000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":0,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.44702},{"api":"NtOpenDirectoryObject","arguments":{"desired_access":"0x0000000f","directory_handle":"0x0000000000000088","dirpath":"\\Sessions\\1\\BaseNamedObjects","dirpath_r":"\\Sessions\\1\\BaseNamedObjects"},"category":"file","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrLoadDll","arguments":{"basename":"ole32","flags":0,"module_address":"0x000007fefd890000","module_name":"ole32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefd8b0870","function_name":"CoInitializeEx","module":"ole32","module_address":"0x000007fefd890000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.44702},{"api":"CoInitializeEx","arguments":{"options":2},"category":"ole","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000000000ac","options":0,"regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000000000000ac","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension","value":"ntmarta.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000000000000ac","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension","value":"ntmarta.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.46202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000000000b8","options":0,"regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000000000000b8","key_name":"","reg_type":4,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity","value":1},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_DWORD"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000000000000b8"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000000000b8","options":0,"regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000000000000b8","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.47802},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000000000000b8"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000000000b8","options":0,"regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000000000000b8","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.47802},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000000000000b8"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x00000000000000b8","options":0,"regkey":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x00000000000000b8","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\IPv4LoopbackAlternative","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.47802},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000000000000b8"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"LdrLoadDll","arguments":{"basename":"ntmarta","flags":0,"module_address":"0x000007fefc6c0000","module_name":"ntmarta.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefc6c1654","function_name":"GetMartaExtensionInterface","module":"ntmarta","module_address":"0x000007fefc6c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"RegCloseKey","arguments":{"key_handle":"0x00000000000000ac"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefd8a74a8","function_name":"CoInitializeSecurity","module":"ole32","module_address":"0x000007fefd890000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.47802},{"api":"CoInitializeSecurity","arguments":{},"category":"ole","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"NtClose","arguments":{"handle":"0x00000000000000a8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefd8b4650","function_name":"CoCreateInstance","module":"ole32","module_address":"0x000007fefd890000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"CoCreateInstance","arguments":{"class_context":1,"clsid":"{0000034b-0000-0000-c000-000000000046}","iid":"{0000015b-0000-0000-c000-000000000046}"},"category":"ole","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"GetSystemDirectoryW","arguments":{"dirpath":"C:\\Windows\\system32"},"category":"file","flags":{},"return_value":19,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT"},"category":"registry","flags":{"desired_access":""},"last_error":0,"nt_status":-1073741700,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.49402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT"},"category":"registry","flags":{"desired_access":""},"last_error":203,"nt_status":-1073741568,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.49402},{"api":"LdrLoadDll","arguments":{"basename":"OLEAUT32","flags":0,"module_address":"0x000007feff790000","module_name":"OLEAUT32.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff7b2880","function_name":"","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":327},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff793280","function_name":"","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff791240","function_name":"","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":8},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.49402},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x00000000775e1eb0","function_name":"FlsGetValue","module":"kernel32","module_address":"0x00000000775c0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":684,"time":1606943220.54002},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000c03000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":684,"time":1606943220.61902},{"api":"NtDuplicateObject","arguments":{"desired_access":"0x00000000","handle_attributes":0,"options":2,"source_handle":"0xfffffffffffffffe","source_process_handle":"0xffffffffffffffff","source_process_identifier":1952,"target_handle":"0x0000000000000148","target_process_handle":"0xffffffffffffffff","target_process_identifier":1952},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":684,"time":1606943220.61902},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000c04000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":684,"time":1606943220.61902},{"api":"NtDuplicateObject","arguments":{"desired_access":"0x00000000","handle_attributes":0,"options":2,"source_handle":"0xfffffffffffffffe","source_process_handle":"0xffffffffffffffff","source_process_identifier":1952,"target_handle":"0x0000000000000150","target_process_handle":"0xffffffffffffffff","target_process_identifier":1952},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2108,"time":1606943220.61902},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000c06000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":8192,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2108,"time":1606943220.61902},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000c08000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":32768,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2264,"time":1606943220.61902},{"api":"CoCreateInstance","arguments":{"class_context":5,"clsid":"{9ba05972-f6a8-11cf-a442-00a0c90a8f39}","iid":"{85cb6900-4d95-11cf-960c-0080c7f4ee85}"},"category":"ole","flags":{"clsid":"ShellWindows","iid":"IID_IShellWindows"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrLoadDll","arguments":{"basename":"OLEAUT32","flags":0,"module_address":"0x000007feff790000","module_name":"OLEAUT32","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff7962e0","function_name":"BSTR_UserSize","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff796310","function_name":"BSTR_UserMarshal","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff796690","function_name":"BSTR_UserUnmarshal","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff796650","function_name":"BSTR_UserFree","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff798810","function_name":"VARIANT_UserSize","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff7986c0","function_name":"VARIANT_UserMarshal","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff798300","function_name":"VARIANT_UserUnmarshal","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff798120","function_name":"VARIANT_UserFree","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff7e1a20","function_name":"LPSAFEARRAY_UserSize","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff7e1a10","function_name":"LPSAFEARRAY_UserMarshal","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff7f8b60","function_name":"LPSAFEARRAY_UserUnmarshal","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff8012a0","function_name":"LPSAFEARRAY_UserFree","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000184","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtClose","arguments":{"handle":"0x0000000000000178"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000184","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000178","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000184"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000184","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000184","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}\\ProxyStubClsid32\\(Default)","value":"{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000184"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000178"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000124","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000178","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\TreatAs"},"category":"registry","flags":{"desired_access":""},"last_error":14007,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"<INVALID POINTER>","information_class":3,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"last_error":14007,"nt_status":-1073741772,"return_value":-1073741789,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u009e\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u0000A\u00004\u0000A\u00001\u0000A\u00001\u00002\u00008\u0000-\u00007\u00006\u00008\u0000F\u0000-\u00004\u00001\u0000E\u00000\u0000-\u0000B\u0000F\u00007\u00005\u0000-\u0000E\u00004\u0000F\u0000D\u0000D\u0000D\u00007\u00000\u00001\u0000C\u0000B\u0000A\u0000}\u0000","information_class":3,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.82202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\Progid"},"category":"registry","flags":{"desired_access":""},"last_error":14007,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000124","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"D\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000","information_class":3,"key_handle":"0x0000000000000124","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020219","key_handle":"0x0000000000000184","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0006\u0000\u0000","information_class":7,"key_handle":"0x0000000000000184","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\Progid"},"category":"registry","flags":{"desired_access":""},"last_error":14007,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.83702},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000184"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000178","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\(Default)","value":"PSFactoryBuffer"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000178","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\(Default)","value":"PSFactoryBuffer"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000184","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InprocServer32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000184","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\InprocServer32","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.83702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000184","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\(Default)","value":"C:\\Program Files\\Internet Explorer\\ieproxy.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000184","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\(Default)","value":"C:\\Program Files\\Internet Explorer\\ieproxy.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000184","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\ThreadingModel","value":"Both"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000184"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InprocHandler32"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InprocHandler"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.83702},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000178"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000184","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.83702},{"api":"NtClose","arguments":{"handle":"0x0000000000000178"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.85302},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000184","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.85302},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000178","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.85302},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000184"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.85302},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000178","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.85302},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\TreatAs"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":1008,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.85302},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000178"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.85302},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"LdrLoadDll","arguments":{"basename":"ieproxy","flags":0,"module_address":"0x000007fef3380000","module_name":"C:\\Program Files\\Internet Explorer\\ieproxy.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fef3381530","function_name":"DllGetClassObject","module":"ieproxy","module_address":"0x000007fef3380000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fef3381010","function_name":"DllCanUnloadNow","module":"ieproxy","module_address":"0x000007fef3380000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"GetSystemInfo","arguments":{"processor_count":2},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000c2f000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":4,"region_size":28672,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000d90000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":64,"region_size":65536,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x0000000000d90000","heap_dep_bypass":1,"length":65536,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":32,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","value":"{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000124","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\TreatAs"},"category":"registry","flags":{"desired_access":""},"last_error":14007,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"<INVALID POINTER>","information_class":3,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"last_error":14007,"nt_status":-1073741772,"return_value":-1073741789,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u009e\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u0000C\u00009\u00000\u00002\u00005\u00000\u0000F\u00003\u0000-\u00004\u0000D\u00007\u0000D\u0000-\u00004\u00009\u00009\u00001\u0000-\u00009\u0000B\u00006\u00009\u0000-\u0000A\u00005\u0000C\u00005\u0000B\u0000C\u00001\u0000C\u00002\u0000A\u0000E\u00006\u0000}\u0000","information_class":3,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\Progid"},"category":"registry","flags":{"desired_access":""},"last_error":14007,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000124","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"D\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000","information_class":3,"key_handle":"0x0000000000000124","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020219","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0001\u0006\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\Progid"},"category":"registry","flags":{"desired_access":""},"last_error":14007,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.88402},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000180","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\(Default)","value":"PSFactoryBuffer"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000180","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\(Default)","value":"PSFactoryBuffer"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InprocServer32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\InprocServer32","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":1008,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\(Default)","value":"C:\\Windows\\system32\\actxprxy.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\(Default)","value":"C:\\Windows\\system32\\actxprxy.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\ThreadingModel","value":"Both"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.88402},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InprocHandler32"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.90002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InprocHandler"},"category":"registry","flags":{"desired_access":""},"last_error":1008,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.90002},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\TreatAs"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"last_error":1008,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.90002},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"GetSystemTimeAsFileTime","arguments":{},"category":"synchronisation","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"LdrLoadDll","arguments":{"basename":"actxprxy","flags":0,"module_address":"0x000007fef9920000","module_name":"C:\\Windows\\system32\\actxprxy.dll","stack_pivoted":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fef9921030","function_name":"DllGetClassObject","module":"actxprxy","module_address":"0x000007fef9920000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.90002},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fef9921010","function_name":"DllCanUnloadNow","module":"actxprxy","module_address":"0x000007fef9920000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","value":"{00000320-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"CoGetClassObject","arguments":{"class_context":-2147483647,"clsid":"{00000320-0000-0000-c000-000000000046}","iid":"{d5f569d0-593b-101a-b569-08002b2dbf7a}"},"category":"ole","flags":{"iid":"IID_IPSFactoryBuffer"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","value":"{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"CoGetClassObject","arguments":{"class_context":-2147483647,"clsid":"{00000320-0000-0000-c000-000000000046}","iid":"{d5f569d0-593b-101a-b569-08002b2dbf7a}"},"category":"ole","flags":{"iid":"IID_IPSFactoryBuffer"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.91502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32\\(Default)","value":"{00020424-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000180","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32\\(Default)","value":"{00020424-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\Forward"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":14007,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"D\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000","information_class":3,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000200","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\Forward"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":14007,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtClose","arguments":{"handle":"0x000000000000016c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\(Default)","value":"{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000016c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\Version","value":"1.0"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtClose","arguments":{"handle":"0x000000000000016c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.93102},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"RegEnumKeyW","arguments":{"index":0,"key_handle":"0x000000000000016c","key_name":"1.0","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"RegEnumKeyW","arguments":{"index":1,"key_handle":"0x000000000000016c","key_name":"1.0","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{},"last_error":14007,"nt_status":-2147483622,"return_value":259,"stacktrace":[],"status":0,"tid":2524,"time":1606943220.94702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"RegEnumKeyW","arguments":{"index":0,"key_handle":"0x0000000000000180","key_name":"0","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000168","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000168","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000170","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000170","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64\\(Default)","value":"C:\\Windows\\system32\\shell32.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":2144,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x0000000000000174","filepath":"C:\\Windows\\System32\\shell32.dll","filepath_r":"\\??\\C:\\Windows\\system32\\shell32.dll","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":"MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f8\u0000\u0000\u0000","file_handle":"0x0000000000000174","length":64,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":248},"category":"file","flags":{},"return_value":248,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":"PE\u0000\u0000","file_handle":"0x0000000000000174","length":4,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":"d\u0086\u0006\u0000j\u0013\u0093Y\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\" ","file_handle":"0x0000000000000174","length":20,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":240},"category":"file","flags":{},"return_value":512,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":".text\u0000\u0000\u0000t\u00ebB\u0000\u0000\u0010\u0000\u0000\u0000\u00ecB\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`","file_handle":"0x0000000000000174","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":".rdata\u0000\u0000\u00cc\u001d\u000b\u0000\u0000\u0000C\u0000\u0000\u001e\u000b\u0000\u0000\u00f0B\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x0000000000000174","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":".data\u0000\u0000\u0000\u0000\u0095\u0000\u0000\u0000 N\u0000\u0000|\u0000\u0000\u0000\u000eN\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0","file_handle":"0x0000000000000174","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":".pdata\u0000\u0000\u009c\u009e\u0004\u0000\u0000\u00c0N\u0000\u0000\u00a0\u0004\u0000\u0000\u008aN\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x0000000000000174","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":".rsrc\u0000\u0000\u0000\u00e0M\u0084\u0000\u0000`S\u0000\u0000N\u0084\u0000\u0000*S\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x0000000000000174","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450240},"category":"file","flags":{},"return_value":5450240,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\t\u0000\u0007\u0000","file_handle":"0x0000000000000174","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"NtReadFile","arguments":{"buffer":"N\n\u0002\u0080\u0090\u0000\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.94702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450264,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5583950},"category":"file","flags":{},"return_value":5583950,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x0000000000000174","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450264},"category":"file","flags":{},"return_value":5450264,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"|\n\u0002\u0080\b\u0001\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450272,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5583996},"category":"file","flags":{},"return_value":5583996,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x0000000000000174","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450272},"category":"file","flags":{},"return_value":5450272,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"l\n\u0002\u0080H\u0001\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450280,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5583980},"category":"file","flags":{},"return_value":5583980,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0007\u0000","file_handle":"0x0000000000000174","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"L\u0000I\u0000B\u0000R\u0000A\u0000R\u0000Y\u0000","file_handle":"0x0000000000000174","length":14,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450280},"category":"file","flags":{},"return_value":5450280,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u00ac\n\u0002\u0080\u0080\u0001\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450288,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5584044},"category":"file","flags":{},"return_value":5584044,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x0000000000000174","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450288},"category":"file","flags":{},"return_value":5450288,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0084\n\u0002\u0080\u0098\u0001\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450296,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5584004},"category":"file","flags":{},"return_value":5584004,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u000b\u0000","file_handle":"0x0000000000000174","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450296},"category":"file","flags":{},"return_value":5450296,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u009c\n\u0002\u0080\u00b8\u0001\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450304,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5584028},"category":"file","flags":{},"return_value":5584028,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0007\u0000","file_handle":"0x0000000000000174","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"T\u0000Y\u0000P\u0000E\u0000L\u0000I\u0000B\u0000","file_handle":"0x0000000000000174","length":14,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450304},"category":"file","flags":{},"return_value":5450304,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5450680},"category":"file","flags":{},"return_value":5450680,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x0000000000000174","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450696,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"NtReadFile","arguments":{"buffer":"\u0001\u0000\u0000\u0000\u00d8Z\u0000\u0080","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.96202},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":1,"offset":0},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5473496},"category":"file","flags":{},"return_value":5473496,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x0000000000000174","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtReadFile","arguments":{"buffer":"\t\u0004\u0000\u0000@^\u0001\u0000","file_handle":"0x0000000000000174","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000174","move_method":0,"offset":5539904},"category":"file","flags":{},"return_value":5539904,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtReadFile","arguments":{"buffer":" 2\u00d7\u0000Hz\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","file_handle":"0x0000000000000174","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"GetFileSize","arguments":{"file_handle":"0x0000000000000174","file_size_low":14182400},"category":"file","flags":{},"return_value":14182400,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtCreateSection","arguments":{"desired_access":"0x000f0005","file_handle":"0x0000000000000174","object_handle":"0x0000000000000000","protection":2,"section_handle":"0x0000000000000188","section_name":""},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x0000000000da0000","buffer":"","commit_size":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"section_handle":"0x0000000000000188","section_offset":14024704,"view_size":98304,"win32_protect":2},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000170"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000168"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtClose","arguments":{"handle":"0x000000000000016c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000016c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000016c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000180","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000180","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000168","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000168","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000170","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000170","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000018c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000018c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000170"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000168","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000170","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000170","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.97802},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x000000000000018c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000018c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)","value":"C:\\Windows\\system32\\stdole2.tlb"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtClose","arguments":{"handle":"0x000000000000018c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":2144,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x000000000000018c","filepath":"C:\\Windows\\System32\\stdole2.tlb","filepath_r":"\\??\\C:\\Windows\\system32\\stdole2.tlb","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b8\u0000\u0000\u0000","file_handle":"0x000000000000018c","length":64,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":184},"category":"file","flags":{},"return_value":184,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"PE\u0000\u0000","file_handle":"0x000000000000018c","length":4,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"d\u0086\u0001\u0000S\u00ca[J\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\" ","file_handle":"0x000000000000018c","length":20,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":240},"category":"file","flags":{},"return_value":448,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":".rsrc\u0000\u0000\u0000\u00a0?\u0000\u0000\u0000\u0010\u0000\u0000\u0000@\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x000000000000018c","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":512},"category":"file","flags":{},"return_value":512,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\u0000","file_handle":"0x000000000000018c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"\u00f8\u0000\u0000\u0080(\u0000\u0000\u0080","file_handle":"0x000000000000018c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":536,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":760},"category":"file","flags":{},"return_value":760,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x000000000000018c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":536},"category":"file","flags":{},"return_value":536,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"\u00e8\u0000\u0000\u0080@\u0000\u0000\u0080","file_handle":"0x000000000000018c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":544,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":744},"category":"file","flags":{},"return_value":744,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.99402},{"api":"NtReadFile","arguments":{"buffer":"\u0007\u0000","file_handle":"0x000000000000018c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtReadFile","arguments":{"buffer":"T\u0000Y\u0000P\u0000E\u0000L\u0000I\u0000B\u0000","file_handle":"0x000000000000018c","length":14,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":544},"category":"file","flags":{},"return_value":544,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":488},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":576},"category":"file","flags":{},"return_value":576,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x000000000000018c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":592,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtReadFile","arguments":{"buffer":"\u0001\u0000\u0000\u0000\u0088\u0000\u0000\u0080","file_handle":"0x000000000000018c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":488},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":648},"category":"file","flags":{},"return_value":648,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x000000000000018c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtReadFile","arguments":{"buffer":"\t\u0004\u0000\u0000\u00c8\u0000\u0000\u0000","file_handle":"0x000000000000018c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":488},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000018c","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0011\u0000\u0000@:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","file_handle":"0x000000000000018c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"GetFileSize","arguments":{"file_handle":"0x000000000000018c","file_size_low":16896},"category":"file","flags":{},"return_value":16896,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtCreateSection","arguments":{"desired_access":"0x000f0005","file_handle":"0x000000000000018c","object_handle":"0x0000000000000000","protection":2,"section_handle":"0x0000000000000190","section_name":""},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x0000000000dc0000","buffer":"","commit_size":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"section_handle":"0x0000000000000190","section_offset":0,"view_size":16384,"win32_protect":2},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000170"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000168"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000180"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000016c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"CoGetClassObject","arguments":{"class_context":-2147483647,"clsid":"{00020420-0000-0000-c000-000000000046}","iid":"{d5f569d0-593b-101a-b569-08002b2dbf7a}"},"category":"ole","flags":{"clsid":"PSDispatch","iid":"IID_IPSFactoryBuffer"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtClose","arguments":{"handle":"0x000000000000018c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x0000000000dc0000","process_handle":"0xffffffffffffffff","process_identifier":1952,"region_size":16384},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtClose","arguments":{"handle":"0x0000000000000190"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtClose","arguments":{"handle":"0x0000000000000174"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x0000000000da0000","process_handle":"0xffffffffffffffff","process_identifier":1952,"region_size":98304},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtClose","arguments":{"handle":"0x0000000000000188"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.00902},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtClose","arguments":{"handle":"0x0000000000000188"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000188","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00020019","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000174","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32\\(Default)","value":"{00020424-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtClose","arguments":{"handle":"0x0000000000000188"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000188","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32\\(Default)","value":"{00020424-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtClose","arguments":{"handle":"0x0000000000000188"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\Forward"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":14007,"nt_status":0,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"D\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000","information_class":3,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyNameInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000200","key_handle":"0x0000000000000000","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\Forward"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"last_error":14007,"nt_status":-1073741772,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtClose","arguments":{"handle":"0x0000000000000174"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000188","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000174","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\(Default)","value":"{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000174","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\Version","value":"1.0"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.02502},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtClose","arguments":{"handle":"0x0000000000000174"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000188","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"RegEnumKeyW","arguments":{"index":0,"key_handle":"0x0000000000000174","key_name":"1.0","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"RegEnumKeyW","arguments":{"index":1,"key_handle":"0x0000000000000174","key_name":"1.0","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{},"last_error":14007,"nt_status":-2147483622,"return_value":259,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.04002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"RegEnumKeyW","arguments":{"index":0,"key_handle":"0x0000000000000188","key_name":"0","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000188","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000190","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000190","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000018c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000018c","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64\\(Default)","value":"C:\\Windows\\system32\\shell32.dll"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":2144,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x000000000000016c","filepath":"C:\\Windows\\System32\\shell32.dll","filepath_r":"\\??\\C:\\Windows\\system32\\shell32.dll","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":"MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f8\u0000\u0000\u0000","file_handle":"0x000000000000016c","length":64,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":248},"category":"file","flags":{},"return_value":248,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":"PE\u0000\u0000","file_handle":"0x000000000000016c","length":4,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":"d\u0086\u0006\u0000j\u0013\u0093Y\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\" ","file_handle":"0x000000000000016c","length":20,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":240},"category":"file","flags":{},"return_value":512,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":".text\u0000\u0000\u0000t\u00ebB\u0000\u0000\u0010\u0000\u0000\u0000\u00ecB\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`","file_handle":"0x000000000000016c","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":".rdata\u0000\u0000\u00cc\u001d\u000b\u0000\u0000\u0000C\u0000\u0000\u001e\u000b\u0000\u0000\u00f0B\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x000000000000016c","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":".data\u0000\u0000\u0000\u0000\u0095\u0000\u0000\u0000 N\u0000\u0000|\u0000\u0000\u0000\u000eN\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0","file_handle":"0x000000000000016c","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":".pdata\u0000\u0000\u009c\u009e\u0004\u0000\u0000\u00c0N\u0000\u0000\u00a0\u0004\u0000\u0000\u008aN\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x000000000000016c","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":".rsrc\u0000\u0000\u0000\u00e0M\u0084\u0000\u0000`S\u0000\u0000N\u0084\u0000\u0000*S\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x000000000000016c","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450240},"category":"file","flags":{},"return_value":5450240,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\t\u0000\u0007\u0000","file_handle":"0x000000000000016c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"NtReadFile","arguments":{"buffer":"N\n\u0002\u0080\u0090\u0000\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450264,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.04002},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5583950},"category":"file","flags":{},"return_value":5583950,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x000000000000016c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450264},"category":"file","flags":{},"return_value":5450264,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"|\n\u0002\u0080\b\u0001\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450272,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5583996},"category":"file","flags":{},"return_value":5583996,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x000000000000016c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450272},"category":"file","flags":{},"return_value":5450272,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"l\n\u0002\u0080H\u0001\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450280,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5583980},"category":"file","flags":{},"return_value":5583980,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0007\u0000","file_handle":"0x000000000000016c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"L\u0000I\u0000B\u0000R\u0000A\u0000R\u0000Y\u0000","file_handle":"0x000000000000016c","length":14,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450280},"category":"file","flags":{},"return_value":5450280,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u00ac\n\u0002\u0080\u0080\u0001\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450288,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5584044},"category":"file","flags":{},"return_value":5584044,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x000000000000016c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450288},"category":"file","flags":{},"return_value":5450288,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0084\n\u0002\u0080\u0098\u0001\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450296,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5584004},"category":"file","flags":{},"return_value":5584004,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u000b\u0000","file_handle":"0x000000000000016c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450296},"category":"file","flags":{},"return_value":5450296,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u009c\n\u0002\u0080\u00b8\u0001\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450304,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5584028},"category":"file","flags":{},"return_value":5584028,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0007\u0000","file_handle":"0x000000000000016c","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"T\u0000Y\u0000P\u0000E\u0000L\u0000I\u0000B\u0000","file_handle":"0x000000000000016c","length":14,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450304},"category":"file","flags":{},"return_value":5450304,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5450680},"category":"file","flags":{},"return_value":5450680,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x000000000000016c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":5450696,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0001\u0000\u0000\u0000\u00d8Z\u0000\u0080","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":1,"offset":0},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5473496},"category":"file","flags":{},"return_value":5473496,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x000000000000016c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":"\t\u0004\u0000\u0000@^\u0001\u0000","file_handle":"0x000000000000016c","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"SetFilePointer","arguments":{"file_handle":"0x000000000000016c","move_method":0,"offset":5539904},"category":"file","flags":{},"return_value":5539904,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtReadFile","arguments":{"buffer":" 2\u00d7\u0000Hz\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","file_handle":"0x000000000000016c","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"GetFileSize","arguments":{"file_handle":"0x000000000000016c","file_size_low":14182400},"category":"file","flags":{},"return_value":14182400,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtCreateSection","arguments":{"desired_access":"0x000f0005","file_handle":"0x000000000000016c","object_handle":"0x0000000000000000","protection":2,"section_handle":"0x0000000000000180","section_name":""},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x0000000000da0000","buffer":"","commit_size":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"section_handle":"0x0000000000000180","section_offset":14024704,"view_size":98304,"win32_protect":2},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000018c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.05602},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000190"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000024","regkey":"HKEY_LOCAL_MACHINE"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\Software\\Classes"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtClose","arguments":{"handle":"0x0000000000000174"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000188","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000174","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000174","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000188","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000188","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000190","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000190","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000018c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000018c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x0000000000000168","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000168"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000018c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x0000000000000190","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x02000000","key_handle":"0x000000000000018c","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"desired_access":"MAXIMUM_ALLOWED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryKey","arguments":{"buffer":"\u0000\u0000\u0000\u0000","information_class":7,"key_handle":"0x000000000000018c","regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"},"category":"registry","flags":{"information_class":"KeyHandleTagsInformation"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtOpenKeyEx","arguments":{"desired_access":"0x00000001","key_handle":"0x0000000000000168","options":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64"},"category":"registry","flags":{"desired_access":""},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x0000000000000168","key_name":"","reg_type":1,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)","value":"C:\\Windows\\system32\\stdole2.tlb"},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_SZ"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtClose","arguments":{"handle":"0x0000000000000168"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.07202},{"api":"NtCreateFile","arguments":{"create_disposition":1,"create_options":2144,"desired_access":"0x80100080","file_attributes":0,"file_handle":"0x0000000000000168","filepath":"C:\\Windows\\System32\\stdole2.tlb","filepath_r":"\\??\\C:\\Windows\\system32\\stdole2.tlb","share_access":5,"status_info":1},"category":"file","flags":{"create_disposition":"FILE_OPEN","create_options":"FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT","desired_access":"FILE_READ_ATTRIBUTES|SYNCHRONIZE","file_attributes":"","share_access":"FILE_SHARE_READ|FILE_SHARE_DELETE","status_info":"FILE_OPENED"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b8\u0000\u0000\u0000","file_handle":"0x0000000000000168","length":64,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":184},"category":"file","flags":{},"return_value":184,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"PE\u0000\u0000","file_handle":"0x0000000000000168","length":4,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"d\u0086\u0001\u0000S\u00ca[J\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\" ","file_handle":"0x0000000000000168","length":20,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":240},"category":"file","flags":{},"return_value":448,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":".rsrc\u0000\u0000\u0000\u00a0?\u0000\u0000\u0000\u0010\u0000\u0000\u0000@\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@","file_handle":"0x0000000000000168","length":40,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":512},"category":"file","flags":{},"return_value":512,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\u0000","file_handle":"0x0000000000000168","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"\u00f8\u0000\u0000\u0080(\u0000\u0000\u0080","file_handle":"0x0000000000000168","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":536,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":760},"category":"file","flags":{},"return_value":760,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"\u0003\u0000","file_handle":"0x0000000000000168","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":536},"category":"file","flags":{},"return_value":536,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"\u00e8\u0000\u0000\u0080@\u0000\u0000\u0080","file_handle":"0x0000000000000168","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":544,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":744},"category":"file","flags":{},"return_value":744,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"\u0007\u0000","file_handle":"0x0000000000000168","length":2,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"NtReadFile","arguments":{"buffer":"T\u0000Y\u0000P\u0000E\u0000L\u0000I\u0000B\u0000","file_handle":"0x0000000000000168","length":14,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":544},"category":"file","flags":{},"return_value":544,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":488},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.08702},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":576},"category":"file","flags":{},"return_value":576,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x0000000000000168","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":592,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtReadFile","arguments":{"buffer":"\u0001\u0000\u0000\u0000\u0088\u0000\u0000\u0080","file_handle":"0x0000000000000168","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":488},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":1,"offset":0},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":648},"category":"file","flags":{},"return_value":648,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000","file_handle":"0x0000000000000168","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtReadFile","arguments":{"buffer":"\t\u0004\u0000\u0000\u00c8\u0000\u0000\u0000","file_handle":"0x0000000000000168","length":8,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":488},"category":"file","flags":{},"return_value":488,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"SetFilePointer","arguments":{"file_handle":"0x0000000000000168","move_method":0,"offset":712},"category":"file","flags":{},"return_value":712,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtReadFile","arguments":{"buffer":"\u0000\u0011\u0000\u0000@:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000","file_handle":"0x0000000000000168","length":16,"offset":0},"category":"file","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"GetFileSize","arguments":{"file_handle":"0x0000000000000168","file_size_low":16896},"category":"file","flags":{},"return_value":16896,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtCreateSection","arguments":{"desired_access":"0x000f0005","file_handle":"0x0000000000000168","object_handle":"0x0000000000000000","protection":2,"section_handle":"0x0000000000000170","section_name":""},"category":"process","flags":{"desired_access":"STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtMapViewOfSection","arguments":{"allocation_type":0,"base_address":"0x0000000000dc0000","buffer":"","commit_size":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"section_handle":"0x0000000000000170","section_offset":0,"view_size":16384,"win32_protect":2},"category":"process","flags":{"allocation_type":"","win32_protect":"PAGE_READONLY"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"RegCloseKey","arguments":{"key_handle":"0x000000000000018c"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000190"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000188"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000174"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"CoGetClassObject","arguments":{"class_context":-2147483647,"clsid":"{00020420-0000-0000-c000-000000000046}","iid":"{d5f569d0-593b-101a-b569-08002b2dbf7a}"},"category":"ole","flags":{"clsid":"PSDispatch","iid":"IID_IPSFactoryBuffer"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtClose","arguments":{"handle":"0x0000000000000168"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x0000000000dc0000","process_handle":"0xffffffffffffffff","process_identifier":1952,"region_size":16384},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtClose","arguments":{"handle":"0x0000000000000170"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtClose","arguments":{"handle":"0x000000000000016c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x0000000000da0000","process_handle":"0xffffffffffffffff","process_identifier":1952,"region_size":98304},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"NtClose","arguments":{"handle":"0x0000000000000180"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefd9607f0","function_name":"CoAllowSetForegroundWindow","module":"ole32","module_address":"0x000007fefd890000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.10302},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff791180","function_name":"","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":9},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.11902},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff791180","function_name":"","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":9},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.11902},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007feff791210","function_name":"","module":"OLEAUT32","module_address":"0x000007feff790000","ordinal":6},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.11902},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefd8af1d8","function_name":"CoUninitialize","module":"ole32","module_address":"0x000007fefd890000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.11902},{"api":"CoUninitialize","arguments":{},"category":"ole","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"RegCloseKey","arguments":{"key_handle":"0x0000000000000054"},"category":"registry","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"LdrLoadDll","arguments":{"basename":"api-ms-win-appmodel-runtime-l1-1-2","flags":0,"module_address":"0x0000000000000000","module_name":"api-ms-win-appmodel-runtime-l1-1-2","stack_pivoted":0},"category":"system","flags":{},"last_error":0,"nt_status":-1072365560,"return_value":-1073741515,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.15002},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x0000000000000000","module_name":"mscoree.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":-1073741515,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.15002},{"api":"LdrGetDllHandle","arguments":{"module_address":"0x0000000000000000","module_name":"mscoree.dll","stack_pivoted":0},"category":"system","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":-1073741515,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.15002},{"api":"NtTerminateProcess","arguments":{"process_handle":"0x0000000000000000","process_identifier":0,"status_code":"0x00000000"},"category":"process","flags":{},"last_error":126,"nt_status":-1073741515,"return_value":0,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.15002},{"api":"NtTerminateProcess","arguments":{"process_handle":"0x0000000000000000","process_identifier":0,"status_code":"0x00000000"},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000120"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x0000000000a60000","process_handle":"0xffffffffffffffff","process_identifier":1952,"region_size":28672},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000134"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000130"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0000000000a70000","free_type":16384,"process_handle":"0xffffffffffffffff","process_identifier":1952,"size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtFreeVirtualMemory","arguments":{"base_address":"0x0000000000a70000","free_type":32768,"process_handle":"0xffffffffffffffff","process_identifier":1952,"size":65536},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtUnmapViewOfSection","arguments":{"base_address":"0x0000000000a50000","process_handle":"0xffffffffffffffff","process_identifier":1952,"region_size":4096},"category":"process","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000128"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000b8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000bc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000c0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000c4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000c8"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000cc"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000d0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000d4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000b0"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x000000000000009c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000098"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000058"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x000000000000006c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"LdrGetProcedureAddress","arguments":{"function_address":"0x000007fefccc4a74","function_name":"CryptReleaseContext","module":"CRYPTSP","module_address":"0x000007fefccc0000","ordinal":0},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"LdrUnloadDll","arguments":{"library":"IMM32","module_address":"0x000007feff1f0000"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtOpenKey","arguments":{"desired_access":"0x00020019","key_handle":"0x000000000000006c","regkey":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"},"category":"registry","flags":{"desired_access":"READ_CONTROL"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtQueryValueKey","arguments":{"information_class":2,"key_handle":"0x000000000000006c","key_name":"","reg_type":0,"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles","value":""},"category":"registry","flags":{"information_class":"KeyValuePartialInformation","reg_type":"REG_NONE"},"last_error":0,"nt_status":-1073741515,"return_value":-1073741772,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x000000000000006c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x000000000000001c"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x0000000000000020"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"LdrUnloadDll","arguments":{"library":"ntmarta","module_address":"0x000007fefc6c0000"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtClose","arguments":{"handle":"0x00000000000000e4"},"category":"system","flags":{},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943221.15002},{"api":"NtTerminateProcess","arguments":{"process_handle":"0xffffffffffffffff","process_identifier":1952,"status_code":"0x00000000"},"category":"process","flags":{},"last_error":203,"nt_status":-1073741568,"return_value":0,"stacktrace":[],"status":0,"tid":2524,"time":1606943221.15002}],"command_line":"\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"","first_seen":1606943649.755751,"modules":[{"baseaddr":"0x13ff30000","basename":"firefox.exe","filepath":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","imgsize":593920},{"baseaddr":"0x777e0000","basename":"ntdll.dll","filepath":"C:\\Windows\\SYSTEM32\\ntdll.dll","imgsize":1744896},{"baseaddr":"0x775c0000","basename":"kernel32.dll","filepath":"C:\\Windows\\system32\\kernel32.dll","imgsize":1175552},{"baseaddr":"0x7fefd5b0000","basename":"KERNELBASE.dll","filepath":"C:\\Windows\\system32\\KERNELBASE.dll","imgsize":434176},{"baseaddr":"0x7fef0b10000","basename":"mozglue.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\mozglue.dll","imgsize":507904},{"baseaddr":"0x7feff3f0000","basename":"ADVAPI32.dll","filepath":"C:\\Windows\\system32\\ADVAPI32.dll","imgsize":897024},{"baseaddr":"0x7fefe0f0000","basename":"msvcrt.dll","filepath":"C:\\Windows\\system32\\msvcrt.dll","imgsize":651264},{"baseaddr":"0x7feff350000","basename":"sechost.dll","filepath":"C:\\Windows\\SYSTEM32\\sechost.dll","imgsize":126976},{"baseaddr":"0x7feff660000","basename":"RPCRT4.dll","filepath":"C:\\Windows\\system32\\RPCRT4.dll","imgsize":1232896},{"baseaddr":"0x7fefd660000","basename":"CRYPT32.dll","filepath":"C:\\Windows\\system32\\CRYPT32.dll","imgsize":1495040},{"baseaddr":"0x7fefd4e0000","basename":"MSASN1.dll","filepath":"C:\\Windows\\system32\\MSASN1.dll","imgsize":61440},{"baseaddr":"0x7fefc730000","basename":"VERSION.dll","filepath":"C:\\Windows\\system32\\VERSION.dll","imgsize":49152},{"baseaddr":"0x7fefd850000","basename":"WINTRUST.dll","filepath":"C:\\Windows\\system32\\WINTRUST.dll","imgsize":241664},{"baseaddr":"0x7fef88b0000","basename":"dbghelp.dll","filepath":"C:\\Windows\\system32\\dbghelp.dll","imgsize":1200128},{"baseaddr":"0x7fef0a70000","basename":"MSVCP140.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\MSVCP140.dll","imgsize":634880},{"baseaddr":"0x7fef4fd0000","basename":"VCRUNTIME140.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\VCRUNTIME140.dll","imgsize":90112},{"baseaddr":"0x7fef7210000","basename":"api-ms-win-crt-runtime-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-runtime-l1-1-0.dll","imgsize":16384},{"baseaddr":"0x7fef0970000","basename":"ucrtbase.DLL","filepath":"C:\\Program Files\\Mozilla Firefox\\ucrtbase.DLL","imgsize":1024000},{"baseaddr":"0x7fefac50000","basename":"api-ms-win-core-localization-l1-2-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-localization-l1-2-0.dll","imgsize":12288},{"baseaddr":"0x7fef6240000","basename":"api-ms-win-core-processthreads-l1-1-1.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-processthreads-l1-1-1.dll","imgsize":12288},{"baseaddr":"0x7fef7140000","basename":"api-ms-win-core-file-l1-2-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-file-l1-2-0.dll","imgsize":12288},{"baseaddr":"0x7fef5400000","basename":"api-ms-win-core-timezone-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-timezone-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef53f0000","basename":"api-ms-win-core-file-l2-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-file-l2-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef4e70000","basename":"api-ms-win-core-synch-l1-2-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-synch-l1-2-0.dll","imgsize":12288},{"baseaddr":"0x7fef4e80000","basename":"api-ms-win-crt-string-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-string-l1-1-0.dll","imgsize":16384},{"baseaddr":"0x7fef4e50000","basename":"api-ms-win-crt-heap-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-heap-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef4e60000","basename":"api-ms-win-crt-stdio-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-stdio-l1-1-0.dll","imgsize":16384},{"baseaddr":"0x7fef4df0000","basename":"api-ms-win-crt-convert-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-convert-l1-1-0.dll","imgsize":16384},{"baseaddr":"0x7fef4e00000","basename":"api-ms-win-crt-locale-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-locale-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef3ab0000","basename":"api-ms-win-crt-math-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-math-l1-1-0.dll","imgsize":20480},{"baseaddr":"0x7fef4de0000","basename":"api-ms-win-crt-time-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-time-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef3a90000","basename":"api-ms-win-crt-filesystem-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-filesystem-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef3aa0000","basename":"api-ms-win-crt-environment-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-environment-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x7fef3a70000","basename":"api-ms-win-crt-utility-l1-1-0.dll","filepath":"C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-utility-l1-1-0.dll","imgsize":12288},{"baseaddr":"0x74540000","basename":"monitor-x64.dll","filepath":"C:\\tmpcaygsr\\bin\\monitor-x64.dll","imgsize":2269184}],"pid":1952,"ppid":2976,"process_name":"firefox.exe","process_path":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","tid":2524,"time":0,"track":true,"type":"process"}],"processtree":[{"children":[],"command_line":"C:\\Windows\\system32\\lsass.exe","first_seen":1606943609.640625,"pid":500,"ppid":384,"process_name":"lsass.exe","track":false},{"children":[{"children":[],"command_line":"\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"","first_seen":1606943649.755751,"pid":1952,"ppid":2976,"process_name":"firefox.exe","track":true}],"command_line":"\"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe\" ","first_seen":1606943648.427626,"pid":2976,"ppid":3028,"process_name":"Win32.DarkTequila.exe","track":true}],"summary":{"command_line":["\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"","http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974"],"directory_enumerated":["C:\\Windows\\SysWOW64\\ieframe.dll","C:\\Windows\\SysWOW64","C:\\Windows","C:\\Windows\\SysWOW64\\*.*"],"dll_loaded":["urlmon.dll","api-ms-win-appmodel-runtime-l1-1-2","apphelp.dll","gdi32.dll","msvcrt.dll","C:\\Program Files\\Internet Explorer\\ieproxy.dll","Ole32.dll","ntmarta.dll","api-ms-win-downlevel-advapi32-l1-1-0.dll","PROPSYS.dll","API-MS-Win-Core-LocalRegistry-L1-1-0.dll","KERNEL32.DLL","api-ms-win-downlevel-ole32-l1-1-0.dll","advapi32.dll","ole32.dll","CRYPTSP.dll","C:\\Windows\\system32\\IMM32.DLL","wpcap.dll","C:\\Windows\\system32\\actxprxy.dll","OLEAUT32","OLEAUT32.dll","Shell32.dll","comctl32.dll","api-ms-win-downlevel-shlwapi-l2-1-0.dll","ADVAPI32.dll","SETUPAPI.dll"],"file_created":["c:\\Windows\\csrss.dll"],"file_exists":["C:\\Windows\\SysWOW64\\ieframe.dll"],"file_opened":["C:\\Program Files\\Mozilla Firefox\\firefox.exe","C:\\Windows\\System32\\stdole2.tlb","C:\\Windows\\SysWOW64\\ieframe.dll","C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe","C:\\Windows\\SysWOW64\\","\\??\\c:","\\??\\PhysicalDrive0","C:\\Windows\\System32\\shell32.dll","C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui","C:\\Windows\\AppPatch\\sysmain.sdb"],"file_read":["C:\\Windows\\System32\\stdole2.tlb","C:\\Windows\\System32\\shell32.dll","C:\\Windows\\SysWOW64\\ieframe.dll"],"file_recreated":["\\??\\C:"],"file_written":["c:\\Windows\\csrss.dll"],"guid":["{00000320-0000-0000-c000-000000000046}","{0000015b-0000-0000-c000-000000000046}","{00020420-0000-0000-c000-000000000046}","{76765b11-3f95-4af2-ac9d-ea55d8994f1a}","{9ba05972-f6a8-11cf-a442-00a0c90a8f39}","{85cb6900-4d95-11cf-960c-0080c7f4ee85}","{00000000-0000-0000-c000-000000000046}","{d5f569d0-593b-101a-b569-08002b2dbf7a}","{0000034b-0000-0000-c000-000000000046}","{871c5380-42a0-1069-a2ea-08002b30309d}","{000214e6-0000-0000-c000-000000000046}"],"mutex":["Global\\F42B8ED47C41A7A135BDA00457587C507BC99875"],"regkey_opened":["HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562","HKEY_LOCAL_MACHINE\\SYSTEM\\Select","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\Tcpip\\Parameters","HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters","HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","HKEY_CURRENT_USER\\SOFTWARE\\Mozilla\\Firefox\\Launcher","HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562","HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters","HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main","HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_CLASSES_ROOT\\CLSID\\{D27CDB6E-AE6D-11cf-96B8-444553540000}","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"],"regkey_read":["HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\Progid","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\ThreadingModel","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\ThreadingModel","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Data","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\Version","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\Windows\\LoadAppInit_DLLs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameTabWindow","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\(Default)","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\IPv4LoopbackAlternative","HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\InprocServer32","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\Version","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPEnable","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\Tcpip\\Parameters\\EnableBpc","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Generation","HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\LastKnownGood","HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\SessionMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\AdminTabProcs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\SessionMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableBpc","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Data","HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Launcher","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler","HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameMerging","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameMerging","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\InprocServer32","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CMF\\Config\\SYSTEM","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Browser","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Generation","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Cryptography\\MachineGuid","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth","HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM","HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Generation","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPSampledIn","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes","HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes","HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Image","HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\(Default)","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles","HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Setup\\SourcePath","HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Data","HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache"],"regkey_written":["HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\WOW64","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Type","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Start","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ObjectName","HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\Wcsrss","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\DisplayName","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ImagePath","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Description","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ErrorControl","HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\WOW64"]}},"debug":{"action":["gatherer"],"cuckoo":["2020-12-02 21:13:58,542 [cuckoo.core.scheduler] INFO: Task #10: acquired machine cuckoo1 (label=win7cuckoo)\n","2020-12-02 21:13:58,542 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.56.101 for task #10\n","2020-12-02 21:13:58,542 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Replay\n","2020-12-02 21:13:58,548 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 11572 (interface=vboxnet0, host=192.168.56.101)\n","2020-12-02 21:13:58,549 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer\n","2020-12-02 21:13:58,573 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7cuckoo\n","2020-12-02 21:13:58,689 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7cuckoo to cuckoo-ready5\n","2020-12-02 21:14:02,934 [cuckoo.core.guest] INFO: Starting analysis #10 on guest (id=cuckoo1, ip=192.168.56.101)\n","2020-12-02 21:14:03,937 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n","2020-12-02 21:14:04,943 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n","2020-12-02 21:14:05,946 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n","2020-12-02 21:14:06,003 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n","2020-12-02 21:14:07,032 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=cuckoo1, ip=192.168.56.101)\n","2020-12-02 21:14:07,062 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.101, monitor=latest, size=3884763)\n","2020-12-02 21:14:07,326 [cuckoo.core.resultserver] DEBUG: Task #10: live log analysis.log initialized.\n","2020-12-02 21:14:07,976 [cuckoo.core.resultserver] DEBUG: Task #10 is sending a BSON stream\n","2020-12-02 21:14:08,178 [cuckoo.core.resultserver] DEBUG: Task #10 is sending a BSON stream\n","2020-12-02 21:14:09,253 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0001.jpg'\n","2020-12-02 21:14:09,259 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 127170\n","2020-12-02 21:14:09,762 [cuckoo.core.resultserver] DEBUG: Task #10 is sending a BSON stream\n","2020-12-02 21:14:10,337 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0002.jpg'\n","2020-12-02 21:14:10,344 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 124839\n","2020-12-02 21:14:11,442 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0003.jpg'\n","2020-12-02 21:14:11,445 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 126799\n","2020-12-02 21:14:12,256 [cuckoo.core.guest] DEBUG: cuckoo1: analysis #10 still processing\n","2020-12-02 21:14:13,604 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0004.jpg'\n","2020-12-02 21:14:13,615 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 124612\n","2020-12-02 21:14:14,273 [cuckoo.core.guest] INFO: cuckoo1: analysis completed successfully\n","2020-12-02 21:14:14,280 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Replay\n","2020-12-02 21:14:14,319 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer\n","2020-12-02 21:14:16,525 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7cuckoo to path /home/jean/.cuckoo/storage/analyses/10/memory.dmp\n","2020-12-02 21:14:16,529 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7cuckoo\n","2020-12-02 21:14:16,630 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0005.jpg'\n","2020-12-02 21:14:16,702 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 126296\n","2020-12-02 21:14:16,906 [cuckoo.core.resultserver] DEBUG: Task #10 had connection reset for <Context for LOG>\n","2020-12-02 21:14:20,398 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.56.101 for task #10\n","2020-12-02 21:14:20,822 [cuckoo.core.scheduler] DEBUG: Released database task #10\n","2020-12-02 21:14:21,251 [cuckoo.core.plugins] DEBUG: Executed processing module \"AnalysisInfo\" for task #10\n","2020-12-02 21:14:21,663 [cuckoo.core.plugins] DEBUG: Executed processing module \"BehaviorAnalysis\" for task #10\n","2020-12-02 21:14:21,665 [cuckoo.core.plugins] DEBUG: Executed processing module \"Dropped\" for task #10\n","2020-12-02 21:14:21,666 [cuckoo.core.plugins] DEBUG: Executed processing module \"DroppedB"],"dbgview":[],"errors":[],"log":["2020-12-02 21:13:29,000 [analyzer] DEBUG: Starting analyzer from: C:\\tmpcaygsr\n","2020-12-02 21:13:29,015 [analyzer] DEBUG: Pipe server name: \\??\\PIPE\\xjdrXqVKEocylZtiKIZVzSdkMxH\n","2020-12-02 21:13:29,015 [analyzer] DEBUG: Log pipe server name: \\??\\PIPE\\LpDHTZmFiObyxUcCZLljz\n","2020-12-02 21:13:29,171 [analyzer] DEBUG: Started auxiliary module DbgView\n","2020-12-02 21:13:29,530 [analyzer] DEBUG: Started auxiliary module Disguise\n","2020-12-02 21:13:29,703 [analyzer] DEBUG: Loaded monitor into process with pid 500\n","2020-12-02 21:13:29,703 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets\n","2020-12-02 21:13:29,703 [analyzer] DEBUG: Started auxiliary module Human\n","2020-12-02 21:13:29,703 [analyzer] DEBUG: Started auxiliary module InstallCertificate\n","2020-12-02 21:13:29,703 [analyzer] DEBUG: Started auxiliary module Reboot\n","2020-12-02 21:13:29,717 [analyzer] DEBUG: Started auxiliary module RecentFiles\n","2020-12-02 21:13:29,717 [analyzer] DEBUG: Started auxiliary module Screenshots\n","2020-12-02 21:13:29,717 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n\n","2020-12-02 21:13:29,780 [lib.api.process] INFO: Successfully executed process from path u'C:\\\\Users\\\\mes-vms\\\\AppData\\\\Local\\\\Temp\\\\Win32.DarkTequila.exe' with arguments '' and pid 2976\n","2020-12-02 21:14:08,505 [analyzer] DEBUG: Loaded monitor into process with pid 2976\n","2020-12-02 21:14:09,677 [analyzer] INFO: Injected into process with pid 1952 and name u'\\uc7d0\\u022c'\n","2020-12-02 21:14:09,880 [analyzer] DEBUG: Loaded monitor into process with pid 1952\n","2020-12-02 21:14:10,645 [lib.api.process] WARNING: The process with pid 1952 is not alive, memory dump aborted\n","2020-12-02 21:14:11,240 [analyzer] INFO: Process with pid 1952 has terminated\n","2020-12-02 21:14:12,645 [analyzer] INFO: Added new file to list with pid 2976 and path C:\\Windows\\csrss.dll\n","2020-12-02 21:14:12,661 [lib.api.process] WARNING: The process with pid 2976 is not alive, memory dump aborted\n","2020-12-02 21:14:13,240 [analyzer] INFO: Process with pid 2976 has terminated\n","2020-12-02 21:14:13,240 [analyzer] INFO: Process list is empty, terminating analysis.\n","2020-12-02 21:14:14,240 [analyzer] INFO: Error dumping file from path \"c:\\windows\\csrss.dll\": [Errno 13] Permission denied\n","2020-12-02 21:14:14,240 [analyzer] INFO: Analysis completed.\n"]},"info":{"added":1606943609.47906,"category":"file","custom":null,"duration":22,"ended":1606943660.876434,"git":{"fetch_head":"13cbe0d9e457be3673304533043e992ead1ea9b2","head":"13cbe0d9e457be3673304533043e992ead1ea9b2"},"id":10,"machine":{"label":"win7cuckoo","manager":"VirtualBox","name":"cuckoo1","shutdown_on":"2020-12-02 21:14:20","started_on":"2020-12-02 21:13:58","status":"stopped"},"monitor":"2deb9ccd75d5a7a3fe05b2625b03a8639d6ee36b","options":"procmemdump=yes,route=none","owner":null,"package":"exe","platform":"windows","route":"none","score":6.4,"started":1606943638.493838,"version":"2.0.7"},"metadata":{"output":{"pcap":{"basename":"dump.pcap","dirname":"","sha256":"704e5e5b3234433c01fcfd1b20a306e77e985038120492dc53965c3edd38a4ea"}}},"network":{"dead_hosts":[],"dns":[],"dns_servers":[],"domains":[],"hosts":[],"http":[],"http_ex":[],"https_ex":[],"icmp":[],"irc":[],"mitm":[],"pcap_sha256":"704e5e5b3234433c01fcfd1b20a306e77e985038120492dc53965c3edd38a4ea","smtp":[],"smtp_ex":[],"tcp":[],"tls":[],"udp":[]},"screenshots":[{"ocr":"","path":"/home/jean/.cuckoo/storage/analyses/10/shots/0001.jpg"},{"ocr":"","path":"/home/jean/.cuckoo/storage/analyses/10/shots/0002.jpg"},{"ocr":"","path":"/home/jean/.cuckoo/storage/analyses/10/shots/0003.jpg"},{"ocr":"","path":"/home/jean/.cuckoo/storage/analyses/10/shots/0004.jpg"},{"ocr":"","path":"/home/jean/.cuckoo/storage/analyses/10/shots/0005.jpg"}],"signatures":[{"description":"Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)","families":[],"markcount":1,"marks":[{"category":"registry","description":null,"ioc":"HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Cryptography\\MachineGuid","type":"ioc"}],"name":"recon_fingerprint","references":[],"severity":1,"ttp":{}},{"description":"Tries to locate where the browsers are installed","families":[],"markcount":1,"marks":[{"category":"file","description":null,"ioc":"C:\\Program Files\\Mozilla Firefox\\firefox.exe","type":"ioc"}],"name":"locates_browser","references":[],"severity":1,"ttp":{}},{"description":"Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available","families":[],"markcount":1,"marks":[{"call":{"api":"GlobalMemoryStatusEx","arguments":{},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2576,"time":1606943649.630626},"cid":1059,"pid":2976,"type":"call"}],"name":"antivm_memory_available","references":[],"severity":1,"ttp":{"T1082":{"long":"An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.","short":"System Information Discovery"}}},{"description":"The executable uses a known packer","families":[],"markcount":1,"marks":[{"category":"packer","description":null,"ioc":"UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser","type":"ioc"}],"name":"peid_packer","references":[],"severity":1,"ttp":{"T1045":{"long":"Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.","short":"Software Packing"}}},{"description":"One or more processes crashed","families":[],"markcount":5,"marks":[{"call":{"api":"__exception__","arguments":{"exception":{"address":"0x3c100d","exception_code":"0xc0000094","instruction":"div eax","instruction_r":"f7 f0 e8 9c 05 00 00 85 c0 74 06 b8 0a 00 00 00","module":"Win32.DarkTequila.exe","offset":4109,"symbol":"win32+0x100d"},"registers":{"eax":0,"ebp":2752212,"ebx":0,"ecx":3503292416,"edi":1971160937,"edx":2130566132,"esi":7155388,"esp":2751908},"stacktrace":"win32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"},"category":"__notification__","flags":{},"raw":["stacktrace"],"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},"cid":208,"pid":2976,"type":"call"},{"call":{"api":"__exception__","arguments":{"exception":{"address":"0x3c1602","exception_code":"0xc0000096","instruction":"in eax, dx","instruction_r":"ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45","module":"Win32.DarkTequila.exe","offset":5634,"symbol":"win32+0x1602"},"registers":{"eax":1447909480,"ebp":2751900,"ebx":0,"ecx":10,"edi":1971160937,"edx":22104,"esi":7155388,"esp":2751844},"stacktrace":"win32+0x1014 @ 0x3c1014\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"},"category":"__notification__","flags":{},"raw":["stacktrace"],"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},"cid":210,"pid":2976,"type":"call"},{"call":{"api":"__exception__","arguments":{"exception":{"address":"0x3c1546","exception_code":"0xc000001d","instruction_r":"0f 3f 07 0b 85 db 0f 94 45 e7 5b eb 38 8b 45 ec","module":"Win32.DarkTequila.exe","offset":5446,"symbol":"win32+0x1546"},"registers":{"eax":1,"ebp":2751900,"ebx":0,"ecx":2028644408,"edi":1971160937,"edx":0,"esi":7155388,"esp":2751844},"stacktrace":"win32+0x1023 @ 0x3c1023\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"},"category":"__notification__","flags":{},"raw":["stacktrace"],"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},"cid":211,"pid":2976,"type":"call"},{"call":{"api":"__exception__","arguments":{"exception":{"address":"0x3c12ad","exception_code":"0x80000004","instruction":"mov dword ptr [ebp + 0xfffffffc], 0xfffffffe","instruction_r":"c7 45 fc fe ff ff ff b8 01 00 00 00 8b 4d f0 64","module":"Win32.DarkTequila.exe","offset":4781,"symbol":"win32+0x12ad"},"registers":{"eax":2751884,"ebp":2751900,"ebx":0,"ecx":2028644408,"edi":1971160937,"edx":2130566132,"esi":7155388,"esp":2751860},"stacktrace":"win32+0x108c @ 0x3c108c\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"},"category":"__notification__","flags":{},"raw":["stacktrace"],"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},"cid":259,"pid":2976,"type":"call"},{"call":{"api":"__exception__","arguments":{"exception":{"address":"0x3c121d","exception_code":"0x80000003","instruction":"rol byte ptr [ebx + 0x45c702c0], -4","instruction_r":"c0 83 c0 02 c7 45 fc fe ff ff ff b8 01 00 00 00","module":"Win32.DarkTequila.exe","offset":4637,"symbol":"win32+0x121d"},"registers":{"eax":2751884,"ebp":2751900,"ebx":0,"ecx":2026067364,"edi":1971160937,"edx":844648,"esi":7155388,"esp":2751860},"stacktrace":"win32+0x10b9 @ 0x3c10b9\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"},"category":"__notification__","flags":{},"raw":["stacktrace"],"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.552626},"cid":266,"pid":2976,"type":"call"}],"name":"raises_exception","references":[],"severity":1,"ttp":{}},{"description":"Allocates read-write-execute memory (usually to unpack itself)","families":[],"markcount":4,"marks":[{"call":{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":12288,"base_address":"0x00390000","heap_dep_bypass":0,"process_handle":"0xffffffff","process_identifier":2976,"protection":64,"region_size":4096,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT|MEM_RESERVE","protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},"cid":256,"pid":2976,"type":"call"},{"call":{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x10001000","heap_dep_bypass":1,"length":40960,"process_handle":"0xffffffff","process_identifier":2976,"protection":64,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},"cid":1273,"pid":2976,"type":"call"},{"call":{"api":"NtProtectVirtualMemory","arguments":{"base_address":"0x1000b000","heap_dep_bypass":1,"length":704512,"process_handle":"0xffffffff","process_identifier":2976,"protection":64,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.552626},"cid":1274,"pid":2976,"type":"call"},{"call":{"api":"NtAllocateVirtualMemory","arguments":{"allocation_type":4096,"base_address":"0x0000000000d90000","heap_dep_bypass":0,"process_handle":"0xffffffffffffffff","process_identifier":1952,"protection":64,"region_size":65536,"stack_dep_bypass":0,"stack_pivoted":0},"category":"process","flags":{"allocation_type":"MEM_COMMIT","protection":"PAGE_EXECUTE_READWRITE"},"return_value":0,"stacktrace":[],"status":1,"tid":2524,"time":1606943220.86902},"cid":201,"pid":1952,"type":"call"}],"name":"allocates_rwx","references":[],"severity":2,"ttp":{}},{"description":"Creates executable files on the filesystem","families":[],"markcount":1,"marks":[{"category":"file","description":null,"ioc":"c:\\Windows\\csrss.dll","type":"ioc"}],"name":"creates_exe","references":[],"severity":2,"ttp":{"T1129":{"long":"The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API.","short":"Execution through Module Load"}}},{"description":"Creates a service","families":[],"markcount":1,"marks":[{"call":{"api":"CreateServiceA","arguments":{"desired_access":983551,"display_name":"Windows Client Server Runtime Subsystem","error_control":0,"filepath":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\%SystemRoot%\\system32\\svchost.exe -k Wcsrss","filepath_r":"%SystemRoot%\\system32\\svchost.exe -k Wcsrss","password":"","service_handle":"0x006deca0","service_manager_handle":"0x006dede0","service_name":"WindowsClientServerRunTimeSubsystem","service_start_name":"","service_type":16,"start_type":2},"category":"services","flags":{},"return_value":7204000,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},"cid":1378,"pid":2976,"type":"call"}],"name":"creates_service","references":[],"severity":2,"ttp":{"T1031":{"long":"Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg.","short":"Modify Existing Service"}}},{"description":"The binary likely contains encrypted or compressed data indicative of a packer","families":[],"markcount":2,"marks":[{"description":"A section with a high entropy has been found","entropy":7.999643147892846,"section":{"entropy":7.999643147892846,"name":"UPX1","size_of_data":"0x000d5800","virtual_address":"0x0000d000","virtual_size":"0x000d6000"},"type":"generic"},{"description":"Overall entropy of this PE file is high","entropy":0.9976635514018691,"type":"generic"}],"name":"packer_entropy","references":["http://www.forensickb.com/2013/03/file-entropy-explained.html","http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"],"severity":2,"ttp":{"T1045":{"long":"Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.","short":"Software Packing"}}},{"description":"Checks for the Locally Unique Identifier on the system for a suspicious privilege","families":[],"markcount":4,"marks":[{"call":{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeDebugPrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},"cid":194,"pid":2976,"type":"call"},{"call":{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeSecurityPrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},"cid":1417,"pid":2976,"type":"call"},{"call":{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeRestorePrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},"cid":1419,"pid":2976,"type":"call"},{"call":{"api":"LookupPrivilegeValueW","arguments":{"privilege_name":"SeTakeOwnershipPrivilege","system_name":""},"category":"system","flags":{},"return_value":1,"stacktrace":[],"status":1,"tid":2868,"time":1606943652.646626},"cid":1421,"pid":2976,"type":"call"}],"name":"privilege_luid_check","references":[],"severity":2,"ttp":{}},{"description":"The executable is compressed using UPX","families":[],"markcount":2,"marks":[{"description":"Section name indicates UPX","section":"UPX0","type":"generic"},{"description":"Section name indicates UPX","section":"UPX1","type":"generic"}],"name":"packer_upx","references":[],"severity":2,"ttp":{"T1045":{"long":"Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.","short":"Software Packing"}}},{"description":"Checks for the presence of known windows from debuggers and forensic tools","families":[],"markcount":4,"marks":[{"call":{"api":"FindWindowA","arguments":{"class_name":"OLLYDBG","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},"cid":248,"pid":2976,"type":"call"},{"call":{"api":"FindWindowA","arguments":{"class_name":"WinDbgFrameClass","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},"cid":249,"pid":2976,"type":"call"},{"call":{"api":"FindWindowA","arguments":{"class_name":"PROCMON_WINDOW_CLASS","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},"cid":250,"pid":2976,"type":"call"},{"call":{"api":"FindWindowA","arguments":{"class_name":"PROCEXPL","window_name":""},"category":"ui","flags":{},"last_error":18,"nt_status":-1073741808,"return_value":0,"stacktrace":[],"status":0,"tid":2868,"time":1606943649.536626},"cid":251,"pid":2976,"type":"call"}],"name":"antidbg_windows","references":[],"severity":3,"ttp":{"T1057":{"long":"Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.","short":"Process Discovery"}}},{"description":"Installs itself for autorun at Windows startup","families":[],"markcount":2,"marks":[{"service_name":"WindowsClientServerRunTimeSubsystem","service_path":"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\%SystemRoot%\\system32\\svchost.exe -k Wcsrss","type":"generic"},{"reg_key":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll","reg_value":"%SystemRoot%\\csrss.dll","type":"generic"}],"name":"persistence_autorun","references":[],"severity":3,"ttp":{"T1053":{"long":"Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system.","short":"Scheduled Task"},"T1060":{"long":"Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.","short":"Registry Run Keys / Startup Folder"}}},{"description":"Detects VMWare through the in instruction feature","families":[],"markcount":1,"marks":[{"call":{"api":"__exception__","arguments":{"exception":{"address":"0x3c1602","exception_code":"0xc0000096","instruction":"in eax, dx","instruction_r":"ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45","module":"Win32.DarkTequila.exe","offset":5634,"symbol":"win32+0x1602"},"registers":{"eax":1447909480,"ebp":2751900,"ebx":0,"ecx":10,"edi":1971160937,"edx":22104,"esi":7155388,"esp":2751844},"stacktrace":"win32+0x1014 @ 0x3c1014\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"},"category":"__notification__","flags":{},"raw":["stacktrace"],"return_value":0,"stacktrace":[],"status":1,"tid":2868,"time":1606943649.536626},"cid":210,"pid":2976,"type":"call"}],"name":"antivm_vmware_in_instruction","references":[],"severity":3,"ttp":{}},{"description":"File has been identified by 62 AntiVirus engines on VirusTotal as malicious","families":[],"markcount":62,"marks":[{"category":"Bkav","description":null,"ioc":"W32.AIDetectVM.malware2","type":"ioc"},{"category":"Elastic","description":null,"ioc":"malicious (high confidence)","type":"ioc"},{"category":"Cynet","description":null,"ioc":"Malicious (score: 100)","type":"ioc"},{"category":"FireEye","description":null,"ioc":"Generic.mg.9fbdc5eca123e815","type":"ioc"},{"category":"CAT-QuickHeal","description":null,"ioc":"Trojan.Dynamer.8198","type":"ioc"},{"category":"McAfee","description":null,"ioc":"GenericRXAA-FA!9FBDC5ECA123","type":"ioc"},{"category":"Cylance","description":null,"ioc":"Unsafe","type":"ioc"},{"category":"Zillya","description":null,"ioc":"Trojan.Kryptik.Win32.820724","type":"ioc"},{"category":"Sangfor","description":null,"ioc":"Malware","type":"ioc"},{"category":"K7AntiVirus","description":null,"ioc":"Trojan ( 0004a2ea1 )","type":"ioc"},{"category":"Alibaba","description":null,"ioc":"Worm:Win32/DarkTequila.7550016f","type":"ioc"},{"category":"K7GW","description":null,"ioc":"Trojan ( 0004a2ea1 )","type":"ioc"},{"category":"Cybereason","description":null,"ioc":"malicious.ca123e","type":"ioc"},{"category":"Arcabit","description":null,"ioc":"Trojan.Graftor.D1F955","type":"ioc"},{"category":"TrendMicro","description":null,"ioc":"TSPY_DARKTEQUILA.A","type":"ioc"},{"category":"Cyren","description":null,"ioc":"W32/S-91f5258d!Eldorado","type":"ioc"},{"category":"Symantec","description":null,"ioc":"Backdoor.DarkTeq","type":"ioc"},{"category":"TotalDefense","description":null,"ioc":"Win32/Bancos_i","type":"ioc"},{"category":"APEX","description":null,"ioc":"Malicious","type":"ioc"},{"category":"Avast","description":null,"ioc":"Win32:Malware-gen","type":"ioc"},{"category":"Kaspersky","description":null,"ioc":"Trojan.Win32.DarkTequila.d","type":"ioc"},{"category":"BitDefender","description":null,"ioc":"Gen:Variant.Graftor.129365","type":"ioc"},{"category":"NANO-Antivirus","description":null,"ioc":"Trojan.Win32.Dwn.dyfxok","type":"ioc"},{"category":"Paloalto","description":null,"ioc":"generic.ml","type":"ioc"},{"category":"MicroWorld-eScan","description":null,"ioc":"Gen:Variant.Graftor.129365","type":"ioc"},{"category":"Tencent","description":null,"ioc":"Malware.Win32.Gencirc.10b3f5ed","type":"ioc"},{"category":"Ad-Aware","description":null,"ioc":"Gen:Variant.Graftor.129365","type":"ioc"},{"category":"Emsisoft","description":null,"ioc":"Gen:Variant.Graftor.129365 (B)","type":"ioc"},{"category":"Comodo","description":null,"ioc":"TrojWare.Win32.Crypt.EBT@611gnb","type":"ioc"},{"category":"F-Secure","description":null,"ioc":"Trojan.TR/Crypt.XPACK.Gen3","type":"ioc"},{"category":"DrWeb","description":null,"ioc":"Trojan.DownLoader17.30288","type":"ioc"},{"category":"VIPRE","description":null,"ioc":"Trojan.Win32.Generic.pak!cobra","type":"ioc"},{"category":"Invincea","description":null,"ioc":"Mal/Generic-R + W32/Crastic-A","type":"ioc"},{"category":"McAfee-GW-Edition","description":null,"ioc":"BehavesLike.Win32.Generic.cc","type":"ioc"},{"category":"Sophos","description":null,"ioc":"W32/Crastic-A","type":"ioc"},{"category":"SentinelOne","description":null,"ioc":"Static AI - Suspicious PE","type":"ioc"},{"category":"Jiangmin","description":null,"ioc":"Variant.Strictor.h","type":"ioc"},{"category":"Webroot","description":null,"ioc":"W32.Trojan.Gen","type":"ioc"},{"category":"Avira","description":null,"ioc":"TR/Crypt.XPACK.Gen3","type":"ioc"},{"category":"MAX","description":null,"ioc":"malware (ai score=100)","type":"ioc"},{"category":"Antiy-AVL","description":null,"ioc":"Trojan/Win32.SGeneric","type":"ioc"},{"category":"Gridinsoft","description":null,"ioc":"Worm.Win32.Mydoom.ka!i","type":"ioc"},{"category":"Microsoft","description":null,"ioc":"Worm:Win32/Crastic!rfn","type":"ioc"},{"category":"AegisLab","description":null,"ioc":"Trojan.Win32.DarkTequila.trya","type":"ioc"},{"category":"ZoneAlarm","description":null,"ioc":"Trojan.Win32.DarkTequila.d","type":"ioc"},{"category":"GData","description":null,"ioc":"Gen:Variant.Graftor.129365","type":"ioc"},{"category":"AhnLab-V3","description":null,"ioc":"Trojan/Win32.HDC.C138160","type":"ioc"},{"category":"Acronis","description":null,"ioc":"suspicious","type":"ioc"},{"category":"BitDefenderTheta","description":null,"ioc":"AI:Packer.519AA5961F","type":"ioc"},{"category":"ALYac","description":null,"ioc":"Trojan.Agent.DarkTequila","type":"ioc"}],"name":"antivirus_virustotal","references":[],"severity":6,"ttp":{}}],"static":{"imported_dll_count":2,"keys":[],"pdb_path":null,"pe_exports":[],"pe_imphash":"fc785ac8507eb2f8e2af81f89b4cb6fd","pe_imports":[{"dll":"KERNEL32.DLL","imports":[{"address":"0x4e3568","name":"LoadLibraryA"},{"address":"0x4e356c","name":"GetProcAddress"},{"address":"0x4e3570","name":"VirtualProtect"},{"address":"0x4e3574","name":"VirtualAlloc"},{"address":"0x4e3578","name":"VirtualFree"},{"address":"0x4e357c","name":"ExitProcess"}]},{"dll":"msvcrt.dll","imports":[{"address":"0x4e3584","name":"free"}]}],"pe_resources":[{"filetype":"GLS_BINARY_LSB_FIRST","language":"LANG_ENGLISH","name":"RT_ICON","offset":"0x000e33dc","size":"0x00000128","sublanguage":"SUBLANG_ENGLISH_US"},{"filetype":"GLS_BINARY_LSB_FIRST","language":"LANG_ENGLISH","name":"RT_ICON","offset":"0x000e33dc","size":"0x00000128","sublanguage":"SUBLANG_ENGLISH_US"},{"filetype":"data","language":"LANG_ENGLISH","name":"RT_GROUP_ICON","offset":"0x000e3508","size":"0x00000022","sublanguage":"SUBLANG_ENGLISH_US"}],"pe_sections":[{"entropy":0.0,"name":"UPX0","size_of_data":"0x00000000","virtual_address":"0x00001000","virtual_size":"0x0000c000"},{"entropy":7.999643147892846,"name":"UPX1","size_of_data":"0x000d5800","virtual_address":"0x0000d000","virtual_size":"0x000d6000"},{"entropy":2.6819136088621818,"name":".rsrc","size_of_data":"0x00000800","virtual_address":"0x000e3000","virtual_size":"0x00001000"}],"pe_timestamp":"1999-12-05 05:15:29","pe_versioninfo":[],"peid_signatures":["UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser"],"signature":[]},"strings":["!This program cannot be run in DOS mode.","$]q\\<-",";i8,?}jWI&","\u001fR=.w}","F\",Og1g","Ei;<6<","d[?Q^\u001f","@EYzz:L","8?U):Dp","rUxS2\\","mS*<[S&","^AhYQ+","DW!I;J/","V%b,kT","O8\u001f`l ","kAW!k}","_@D<3q/","\\p5TV:\u001fd","Gj@@GEX",":aZq}hW","[+*X\\5","$QnAU$","v<%*$V","C&9q/r","\u001fZ{]F;","U6&eb{","MvGyZ:oL","pD1;Dm"," pLmxMp",">EUH&J","Y^1egN",">^<Md=","*tO6v1,","\\0mWyx","Ng}>\\t","18@j -Z","p2eRXD\"",")66'mV","t#e(u0+","j;\\zZT","27Mi#_","i'$K'f","KDY+fr","q[iH4Q","rC{;IG","@Al#7<","iZ>>z@","C=|e!1a","0g*TU4","l{LM]&M/*Xh","Gpf{nm","dR'c'[","=GtKHls","HJytA]Z","bQp+c\"","`Ob\"+T","mOav1.","%Tn`S;O","b9EN'P@","k^\\w2km",",^Ef'1","Q+{RZX:","#Mq~xLm","\\fO;GXf-","6V,;E4","Vu?HU'","x4{;n,","8ZetN6&","7$8)dI","UFX\"M+","6\\%xLQ","Jq=+Lc_","95[\\}>","^_=/6{","Cf/\\PX",",c2Mkt.f","j(q5Z*","nnc_rp["," 8b6G=#","\u001fvAW;qK","i|e%8Ef","T:t9@S","0OG8#*","AGF ]/","^Wv+Om#","kRSNzA|","rhaIIM",";E0Ow4","ckt`8/","oVTmk&","'fw>z0","@vn\"Q;J","059az.","0[s19b","7}J#&'","!.4>G%","#reb;(","9LW\u001fFG","4k;8qf","N!Acxz","v.]Q\u001f7_","H\"-5lV/","[]rc\\9","F)HYQ9V","j?nn AY","wt5a.H","ys]cC:","Ck\"fshh","la@\\W`","5(4Iw#","=WE&hZ;2","Nes!kCJ/","WqgM+>x4",",fcxi~","0H0xy=t","<dTbmx","MbR`(\"`","229.]cwG","^P-d.lj","J2:w;G,#K&","9W=($H","Q\u001fZu]{s","v'0to{p&","TRG0oe","]L(L%[","%d[2QU",":(k!_W","3H9&&^","VH+(v|n",">b{\"26G","Mp1El/Y","a>*[d8","-&VJG0O}","X'u[%n","~ E.@w","E(8kFg","YQ7\u001fKg","6@J{d[k","Fi=zY,","Hh-}7G","'#Z*i}","*}hj%/","ZC+s3L","{m?K5m,_/","G ;}HE","egyF|=","`Kx<Y/","&TJU97xfp$4,","Td=!beO","7FLec5A","=g-HEp","uNDy(|(","=}L{p5","buqCYLW]","Pi*5w=","ISnD`k]","ouN$muE(","]z+,!z5","r'\u001f]Pa<","+v;m&n","Udx\\[U","8M\"o>t","h.I\")R","^!<mE@","-Q_Har","zat''d"," 'h>^}","JBR[0TT@","g\"a6HI","@Yb9nkj","i.^m|+","jrym+:Ly9","IEY40xS","&[e\u001f_}:","ol VvL","ae:kv|[]!","4#x-&4","_+aYc]N","q`i@BJ","Nq4w3u","N);];'_]X^","AL@EOOB","e.Lm\\6","mw^bYU","GiWuEj(*Oe","D%u0 g","]8J*gw","Gf1g.q","Fs/=^&","aO7v57","6K&M.*!","R|7Zmh","}C<<J3k",".Qz55Ey","o3w`K+d","cy55v*Y+","T_(J~q","H%* [g","$IT.eBt","69AE'%","G~0v,_HB0","L44BM\"","PL1WpB8","=uea^D","N1v$f*","U6iIE%","r8F<fk'","G6g2|Q","AE:\\Qs","dU.F?80","1#An}\\Q","!+}S-S","iIL)_Q","N2S&(h","w\\Y-W&","JOM+*s","_PF_Yj",")2!l0S4","HV05C,z","5fL7(Z","xy.,S6","t*Zkcz\"X","\u001f| rn%","=%J0p\u001f","?Vt}>J",">\u001fpXZ'",")zj4/#","Db.}!Z","#O4IVf","C7-86.","3KC|PY","Lz: N.","b#w/|.","NY/NV%V","esnHb:s","t[5T}V)e","=uYHfz","WGlJOc","4sf}.w/}","cI9J9F,-","uf|z/h","v(j6lq","E:<J9p",";Hzb+]","Nk},f3;","s4\u001faxx<","{ IX( ","A*AzLS","<uOAZ)X","2;t`?\u001f","$C\"$eQ","xa0a.s","^#zIG:","cd0-XZ","2P+& L3","K&t7=|uDvZP","!cOdkD","IjYWVZ"," h@+e\u001f","-HLP)LX","))U ,R","yDfcn3aFA",")[Ld\u001fj","i=Qm[/","qbkLm0R)","3z\u001f)K?","OB*rH$","K#BK`;b!","`s]Q*(","]O!i<8","@\\|g7O,",".To.hTI","]i.i`-<","5x\\tgrjj","f>9\\V9","TY3gv@X","P?H]6e2['` ","\\i%US0","N[ss$U","yiVD\u001fG","%ySCO?r","2k`mG/","uu4:xwS","fJ\\Nf+{","\u001fo`].9","yX1#0p","]g6DIzr3","B()-,M]$!","Vs\\Qi#%","R&bmV\u001f'","A\\7P%S","zYK0K^","J;-Od3","RZ~CNG","hjwE2#7l<","/eu+n ","! YsP+","\"64^Sr","cv\\wQ0","+)'[f;%","Lqm^Bd","ZwIjA^","YL7V!M{","ue:}Rk6","JV~OgL","vTvok_","lw9/nf","4E op3","]Hilt1","6B!zB<",">Rk3/L","-v8\" s;j","x@#+^0","}P.(t%\\","PL|a.h","n]k({=","X#0z@z","BE~\"8W",">9jA0i","mOQ)!*","a$~K\\]","\u001f9oC)&9","8H+5,**","^,r`8j","7sX[=JsJ","k+|T7+7","JSU9TD-","s\\%c$E","l<VpYb","!iG9d>","zK*P44yO","-?:9+)%","TdKEe+","ydr<{C&'","7@E/x_4","hq!?eu","!@>L,>","a2<ni`h9","@(Ijgr","}{[=yYTx","\"[j,!9",">QD4/,]","AY7SMF","ax^EkuR5","{d!XW:","2,LhnK","LcTz{B","54Jfxy","'\u001fw\\[t","W4yWgD","Y0&+ 6.","^hIi26N","v9}X,<S","h\u001fUdJ<","[)x}9L","UU5\\EO","hmY(%N","6t3-|K","#Z{JMw","WC6/GHr;1","yF,h&Z","1`OT\\+@q","J~w{Bs","|\"^_uQ","3v\\/AX","|3\\Ad=","lucPPL",")%5O p","L+NI>C","o*tX+B","ayL.F%","OfO&wI",",VkWUuUX#3;*}","q\"J6`|",">!;vyB","~.O\"6/","=E[u<j","PQU'rh","\u001f$9fKy","O\\*>#1i","vr!B\\O8?","8GHv{S","d\u001fD'^'$","yj\\DD_","o@Ckgx","_`psm`",">E8)3k","a|:gwsX","#Pp8}R","Su0t:-$~","t{}S$HeM","VFbi_;y","`'7_\\v{s","~Xq!0>0","n,$FqxbAS","B~9Q-\\a","Qj=;@g","uL5Tw \u001f",";M:/+6^","E|g2Na","kS,pDC","p@O!'<_","jN^CK|Qq","ot'J<~{","j#73*/Q","P<j1hU","o.44uw","6LXg\"803","NZVvOg","\\k`z 5","}=BWkd}","rn5D[*","xg5)HOt","-3l8uM","~'8</W","4eu\\eK","C!wz;*","KWqvu?N","D Lcb3V","S-\\r28","`n<&A~","(4f<mM","e%>hos","`M-crYyj","72QG-W","}'efeIJ","6\\0G|V","4%}B^Y","y>NA!Lg",":s'Kq,Jk","dn9p43","p-{PGl","(?s,]_","\"h&VC;N","7;qqEy","=b[4!~",">-Q\u001fTW","V$@m2We^","'X8/N6K","v892Vd~|","3;^pRW","2;SsRdV","Dl8<'z",";j]zz1"," Z&'}*","~KMRc%","PJ0DOp",";)[J Q","WS7EE=","{~={f}","[8]MbHrW","d.5{`Y","p~~ItuV","9V+(vp","s*>EkY",";-.>(&","xWk&Co","\\#[gV4:","=]0ZCi*h","4Y;1|#","^U;gW|","n}DV.D",",#+%$1","%IC9-b","ncdvAJ","oT8wy}","R8.n/U","O)XvSL","Zov[;1","hw([cI","'&>nT'+","<LXoS'","z>{gY`","0e;F|*{","XW=6#S","g*X<*0","/kDN?~","4\u001f5Ti-}","&(AOSY*u/","v}ynf:w","l0P#-z",".]O>tH","7e7!AZF","o/`}/W\"?j\u001f","J.+Q7*U1","I|ZK*P'","Zph1Ej:I","(yoi)LP","XYl6Ew","{fa^Q0","T]x(f9i","[,'YQH2","lKxcaI","T>RZ\\8fW",",iMJM*","NE?:hY","qXb=)<)?","oI;Y(>","!@cb1W","3F, >4)","L^;JG*6","ik,\\+0"," ?/-l@","HEV;$`-",",t^9vLdt","]O01Zg","n9`3>j","F4SPN,","@y\u001fo&C","<1:N.*","\u001f4S:HM","\u001f_*eE#","e,mzv4WQd","S-j*|0","P?h{e\\^","^{gdb3",";BRZ\\:2-\u001f","^*]r;<","<w2tx[ZK","B/4&=>V","C@5QR*","{O&O>0","Aa5c}^","!.iY6fWU","+PF3V,","Ad\"S6c","txu6<h#",";oDaPZA",";KYCUj","6*!he0z","`uO\">n(4","!K&asy","HuL)=,","j9r%.F?","\\;'MG$",",Zb^&8","Qsg<oQMC","TP*4OTe","mJGvmx1/","VO|l(G","Y!V(gD","K`i$F,h","DrnG!-","~W,UZG","|sOZpJ","UF*mom","Mc`@#\"","?{+=(b","y8Qh/o","$OdNkB","5N:]#v","))F#1P","r[jR^Qv","c*(<Py6","S<p\"t/","8X27\u001fA","IUlMlV@",",+iP=C","4>;G[#","06h<sg","9|=4CR'B0","A3<'5|","-!}:WEK","z8YhM>","lLOHAK;7","=_H@c+","/hs:l`'",">dKA`!","TfxY#qT","Xx_\"Z!","Wqs\\3 ","h#[),M","}K\\RG0","^__%Av",")M~lw|k","I4J73b","4P*7>.'","y)h{Hk","\u001fL6 t\\","2.hN+U8&p","r^u|9?","K0MP.V","!h_#q}ez","A8fp; ","HnDb`a0","j]jBp:","4``[;0","'Gqd\\f","dE(7k]","s7I~'Ip","=}h\"IhI","DI0*?U","}a/ 9\u001f","[:zc_E(","-{x?N~"," '{9;v-e","~g7lGz0","z6*[w<","%>E9|]gi","t_H}XT","W-K[oM","xq(jR|3D)","i0Byf=","4Su-t'",".h?5UF","n,[b6i","\u001f8}/J/","$6JVh6","\\mgr-u","M]9\\HB?","e*V{\"$","F`517f\u001f!)","7Sm(DF","vNaZCV","vjy<{$","o,4>\u001f]","Pw2~<6A","%7mxX57","4]*0D,\u001f","\"LR19}",".`<)&N.","$Qp.Lj","E|fk&,;","T !Vom","'G/`|M;","PEId_t<!","7U.g|wk","M@`K~d","fCwv0k","w+A}=[","Cg.znr","MnoEGB","[F.2wp","7Ws T:","?yN|(!","YJ3Jrrli-|","b4#Y/|","-cIrC#;","5mEF-Y_","~BPaMNAq=","}TG\u001fNE","-L>wN%g~","7zS1o~YU$W","iM,~*Q[/="," T qiXb#","Oj!\u001fD)","(!UFs{","4d]z.w","4`@YB'","zG>2i)","J{341@","Y'{WIQ2","wlVJ>j","9X>q1|","q[LYsw","aYFw6B}","u',r\"@Nh}q","}jc;]T","2^JIcp","nK+ Jw","|(d%0%","+/km/y",",62t9x","P;zR j","~XMsY\u001f","RO\\\"3`","QX;^6*nt","\"vd-2!",";N6D\"5","C)<'9W","g;\"VW ",";nX4JEb","t=D*1 ","EDXcWtL","$n!uep","tVvzC\"","WH[wL4","d:QOU>x@","o#/w#Z-","/uulk\"NI","=nX/h{p^r","+=QZOD","%R4vJ-r","{);z5V\"","?YIb<7","<rM6sFv","^BbepS","@;CJzW","x?)OSC\"WY","YW}~7%",", WnrEcj","l^XZYAUj","\\/'.4p3","Z-'}~a","~pHe;T","SfZM:c<","&\"|1&v","=ib\u001fzA;Y",">3,/lTj2","m`aShE","ISH#MU","wD ozv3pL","[?'jMi~","\\,Lr.LW","C)k;/\"","r_II34","Zs %Gi","{qmeRz","{V8F\"5","Js[w~q'X","=oUD%K","w7kUHL9","+RfrJ@$7","cKU/L[","?-K!9\"k","1!9F8{","sYHE4X1","heS>h;","}`O=,!z","4!@[|~V7=:","@ob \\*","%u&k+N",":b<Cjzb","w<X&mu","<$4v).","@^hwY!0","kOw!6NR",",)<uPq","1Ewts}","A5#V0C","e_dv/sG)1\"",".%I}=)","q6Py\"~)","I5Z^#7","433X5YrZ","c_yg8#as","vx6`B$","}8E\\_M","da4.+e","D3']q-|","_<XwLh0","|DYshu","**75RfX","3LnBL_","\u001fDav]r","W(o*SE","[i|k>=7","5|avPc","X\\A}r %%","|d.tZ9",",+Qj=1w","9%o\u001fzD","=kf-+G",",dy#P&","|k(6XdB","IP9Ivx","_XCy.e","8Pw?md","#D5bK]\u001f>","h\"^^#u","/!Nn+m","z!\\R>E","'ux\\=[#","UT-$5-","l~{U<k","QaJp:_","x2t4Cm^","&:Ye=\\","mSH5X+ZJ","=UDj\" ","3_2QB,T","c}b;]tb","v_93?g","5<r(iA","uxH*S;",";KcA$]s","B\\{#g^>j","di6'?!0","x40oU4%","TeKmB,","`aq\\kv","y\";QM3","|d-;+'c","<G\u001f\u001fXX",">O&3yL4","d-:aASPR\"","F<{y;(","|hQ@$?","vzn_3=","v7yN!&","9EmRH^xp! O","s-G_'k@OW","gdc#iP|","*KLzi/","I]O.|Dxn2","En*6_D","~x%A57w"," kL=$a\\","?D8J<f","`W_)40","E8n+PhH","f!<|W%","cWwnz ","5$:6T}","TJzTvH","{=&lC1","D99Mc^","JQ =cJc","3=|8c1w","2Y+5?H","Y^smOS","F6m-b=","6rtadW","S\\{kvQ","fDk0Mz","a_![9y","tZ<%)O","K%z'-U","jW`n-\u001f","FE:H!_","o8wb34'b","p6] CX","'mxf. Z","J9`Y;\"","^3a=2.","5yLUS)\\","Me8lRx",".iT\"yj","F}=96n","B|2iPu","V 2?I6","K4_Trv",">t<9$P","7!|#1w2","i5=<qn","B9,w=?","d8WC+H","E#=.)C","L^aEk.T;",",E/jS3","6nZucm\"","l4jmrj","+BT?'4","T5m *q1","4$(%<]4?L",",Sac]H","F|iR6}Znq","d\"6 zB","\u001f^8d$Lc^2>","A U|(]n","`h>\"Oe\"","}oBbj+","&)&4&s","DX+3^:n","xg&lTV","}]r7s8?","D{ Ifbv","y`FBQ9","pLr-vJL!}T","/&8/`[","`pU6[Y~[yX7","PK+l-\"","\u001fjm\u001frTA","lL>Tu/h","x.~Y~g","IZ{>iG","\"_9zx_","-R?\\BYL","oK{rJL","kF(ntd","vjb(.z_","df2ap3","y>GeBD","^zALa4","\u001f|1$&9W","89++vd","'x{~?h9","pbys6Y7","B2'^on`","]eM2go","+Oj@n;","/WYg0m","EqKiNm7","?>y1E+","|\".<9^","~wQ$aAP","+r\"RDo","|Ikox@","=\"Zgg>","}#/>lD","_D4Szs","8//HYx","^zt.<u",";{qa*oM","0Wa[=B","=F8=ymt\\ 7","/:\"u`E","ig\u001fGL$w","%l}\\5GF\u001f","3QZA!G","d<NvEQ","m%TDBp","P+>:,s","cn5oGz","m/JMYYw ",";(|-`S9","WDgP3\\","S- groW","S^42YM","D>]5=b{","s+h-WF!","?Fl& ~}","jb~rP ","PY`J%C","Y,~,mNQ","@iQ[x>(Z","#\"<KH@","!qh<& ","9)ERV{R","dO@\"&+","GNYng!","g5_Xh3H","T\"v80C ","t@lk@4Z","u\u001f\"0!+","&\\$4WT\"","[hlcFr","2ji?\"'","8?;<bo ","3?tG'#","qKVdd<","QK,M0oQ)","uJ:d<3","0*li4=",">d\\Xk!","VhYwMG","\\n|%T\"","\u001fPkT:=}","~rDXfI",":3-~O/{","'}!TK0",";rb\"8N","@V$3XAA{"," @}++\"","'q\"3Ip","9G=~HO","^6?!:8","h#@Ke<",">?Y~ZXig","T6sc'>","uH3TJ,","#iO\"T-&","=ln0 v`","7yBQclg}",",ys!47",":)5&N\\","6)#G1=","1);C 0","iKt0G=\\","/rZ..t(}","i1bj!v","!CGcWn","3Y SwH5",")%i3G\\R","3=H%-d","{(G(20xx{","l&o\u001f*~;",",Z)%kLi","]n%pqD",">A-j^F","N|u#LjWZ","fSSyjF","vO3qh(S","~3_`k[=6","uV_Xff","c@o&FE","IZW(Jq","n :e_Z","}o)~iD","8K>8b.!","96&\\NN","!\\sMV)","7hM=up","1ch/<*","&SOGD7<]","(#O_=OBCaex=","jZA'-9","@X:r?6"," z>$0S","d*+'c)","^sF_V7VFg","U.Rj(o","ff:IZ&E|=o:%","@6=cp$","DAu7~\"7",">>KYv9S","&/^,`|{",")oaq#=","C[U\"9_P","vQO75H<","&8gYDP","rzX7]Oo","X'?,Yp","?i{G\\^","zz$iK[","k|~)\u001fdxh","JO39k\\","9\"(*Y:","5Hlb7E","aZ()tR~","l)sfo\"","\"}K-TF","F|~nuI","PT'|+>","!^n#d^","E}>S>0n","A=#b,6","[f(K3X<","AGq_WX","l~F%Z#W","}2VzlX","<%w7k/","1h|4APO","'bSb;7","N*@tHXq(","kn@SkX","5Auk{:","U\\{{R<6","w8(@p0","CiO>tD","{_|2X;","n1}0gV","]2'n{JV`","ot)uz)","$MDu6&","A\"9y `:","vR-,:ZN","(/.(z12","Z}h!-TI",";[BG|c\u001f3l","1@1iU_","T\"aXLl~","]5GsgOm","$m@kQ*E","b`IawA","\\!K&-Q[6",";QMY;P","5T%uZhUVd","(7m@4Ux","BX^7Hs","<<Dd`wl\\","DN>\u001fS;","$e vn\"s","&M~&(c","%xSg!&","96$)r0","z nDuT","I;vD^c","8?-}|h}","X`\u001fDdH5k","I)@u:b","uo!INN","c)uV=ZuSqZ","E<vuk'","c<9tv1P","n5>)_&","Xc|}Ja","g Bs},","kY\\P3jUK","(P2AAP@","Zp*ut;!X","@GX|)E","/wWqjt","1 8!{B\u001f?$","n(Pvb[[","R3t5u8","T7[]& =","j&&jf>","5+Nx|`","stPW,0","w^]`\\',","OKqJ y","+CL(u+","/VksQ>","LW|H560","W,a2iQM","(-XwA`","$cD]StJf","(LL~QE$","S:j.9~b","z&kKJ{?!","zO^PhT","2#y+>j?","V}F{O+","IcU0U-","0=k\",Q","\\76%S,U|","k{qyE|","QwqZo`","m\u001f7r_M","I2rP]b","(.|}<s","mb@3eT",".3Ek[v","`X~zA&","L3Q%2IkH","F1E\"F3-","-VHe!_\u001fr","ty3T{j","gC&D4A","1#}4k[","Fe>66N","}\\iD=D","j0SM3q&","y[v{Hg","*}`R@$","R`$u1y2 ","`:nn#p0","mL?8o'{","+A\u001fyAC0","-9Ex5\u001f","{2M.=eP",")hJy;BQz!","9^\u001f0K ","0OG&\"y","_J}PfuJ","BgCF.tR"," ,0iSQ","TeYn~w`y",")?I$(%","+?XrF3","u|G:F.","JQAS%M","2QU }(","yx6c]n2","B1|7E*f-A","{9k_mH","m{$3mo7","64#Yhq",";Z;h-w,BZ","@NY!c2D+?","=7C+o`","P'WMifq","&r>MCP","U9ziw>",".=~igz%","2MSbK[","6UdOh|LzRF","((@v]5",",oA1]CG","\u001f+W\u001f*Y","8`w+*S;","I&lc\">","EHb~t]>",",lJ{F<","_/jV@q","9T^S59t^","jZtY@Lu","2]%_r,","yv<\u001fllC","_gRcp`","Ifop)A8","HNqBS ","8=C1PUf","V]$~RR","U`U>} ","8/xg@%","ZY\u001fSi\u001f","kuzW7#;","KmXdnt","1\"n9Pt","y9?/,]","DH\u001fj4XwL","'F^}/CM","QO/~O6_","$4ot]0=","$*sV\\>","iI/yMq",":}J=1^","gzl)&^","`0Cbn!","c|w=6d","=u[_>X","[xs2.o7d","Y~B\u001fo]$","Hz74Jl",":qcj R","Xf<]7i","9,Em$<","Q:@8hp","w FtBGu","22\\k1V","Gp=Cc-","YI%bSz*","+Et1|M","5=g,Z`s4w.","/QJgf# #","j]k?6)","JDm@&%","Ytl\u001f:L","f'TI6^","0Y,w,v\\","m mV2d",":$4#O'","6}Xcy{","/VbEb{`","3&-\\s)D","sR.r[_2","PV[O}b",")NvC3?V","I65I.0","6xPx|e","3HP77-2Z",". M%rY","-nA]#R","S#r`<.#","an]RDw","B\\S8z4l","t\":R7c","+l1WIG","4Trch[","/ED:21:","/(Zhj\\d","xdNioq","%eY-6,vN{","~9\\UOA","@24N4U","I_$2 G","7gEZ\u001fT","2q'?DN","Sl<U?/J","F(zI|#8r","f&v>x`3m","xg8;\\w","Eg1\u001f]U([","[C?aAEN",">G@p?<","zJ/6*8G","Cji?~6x","/NN\\Jz","erI\u001fs{g","Wk=/X~","Ig%8h&N","6W ,i@\\","\u001fdoY6b","?I'(8c",";fS$.qR","1QQD&*.S;","{Fwp6P","\u001f.Q.x-'","XnmLe0","#L)m8V","b_>nM\\","aT\u001f`Is","B\u001fC\u001fJ;","Q!1Me[",";CE[YUr","&II$\u001f>H","QN1O\u001fd","$fBRM^A","0j=o\u001f\u001f8W","H#fUVl<2j","E7* 4V","G$pje-","]B7.,{","lI2qR\"","l~D\"-M","\\ (VUj","FlSZVyM","/9rm\u001fkw","d\"f?\u001f[","=j#Aqw","'*!&v:",")f'dv'(","h2vxntA","2fO\\#?","@JGg#G","GqIjx.","=7}%6j","dXt.s1b","T42JGlzU","NlX$Uat","8h'UtV","uQzx/2","dS],J'","6n(fF$","'(BzG_","nzMB+z0","RSj4]O","vat}hg","mc_[a5","N3k6Dkn","MDU\\7p)g","MrKeN\u001f","a&;s8@","Dsk+}}","`**-b0","OGcPC4","72gm@5","6omRC?c6","0107sh ","_C~k*K","vz}/]RNb","tu\\pP\\Kz",",;muvQ","HIFw<MK","3?c:/E_m","_~:x=\u001f>^","j5Aq2Q","iEC\"zT","Vc828T","~w[\u001fk#","rV=he7","'JX;\u001f0","RQ=t'>+Y","m\"dUBu[}{","Dd6~,*0","~Oz-v;",":8bC0^",":FH5\"g","cG\u001f4LA","\\OljvR","&)YC]W)","qHFhKCEH","e,|'_]","S^o<&Z}","RrIi$>XOb","_c$ ,@>I","\u001f7<7=5",":|GM\\i80","li!sDK","){yL0@'I1","|}NMpc","x~RO*G","CZR2sZZ","sf8-4w","!(WJRM#","dt^tM]X","5bJ2A\\","-n$&dka","b:*5E1","<Y#`?<","wL16~H","Fn6\"tk","ogLF'P","RVL`Vy","VmG<)tV","h+I2V7<1",",KWAOf","\"*|t0~","}8R|Ro#T","WG8*6^LxF","j-PIHr","+C}oCDSG","#\\|4%_","e ^og{","|6t'ZFX","\u001fr4cSE","C6Qo<q","Xz!du>","P(<F\"g.Q&","I2Y&v[",".+gx<%(N","b8?}.`V","l.V bh","H/} TJ","\u001f5:n)3T","UZ72+m","AFpU54","Q+:!%,","z/h\\;l|","},;fS<X\"","fW1EP_^","WnsOdy","2oC\"$e","&*6#/q",":[8v8n","9-`Ziw","s{=6N85","<5`\"]c","\\o%DyPL","Flz@S+Vg7","*3x7nO","`0;9{b","6k!EuH@tY","5Nj?]P","+]M,h9;","$g6>@I","/07OrO)",":qg!nSs","$.Gyzf","OQJ\\Gv","nP}I<E!f","&/hZ|p","#<~Wzr2b5b","DYrO=5K","U~TbpW","I@<k#EpQ","4Z|5V$","D);0$}","Vkt2WSxV\"H","|%}Yap","}B1}/X","I:l:3$","<MC)}a","2V3y\u001fQ","<^aQK\u001f^","G<=oLrG","!YByU.","?cv1Ed4","/+C8-ue","g&0y<%-4","STx-mB","epW\"bVm6",",;oNp)","u`OS3C~","yw/D@#","C{/KH2","CL8NQ5","Lute0X^","Y/QtDd'","yAzCHx","E?$>.\"","<f}+^f\"","L\"z>G~iG","=zLO< *.X#}","I\"S-pY\"","lCaa*p","p!$4zg","?/O0Rw","Czvc/{3","F]kYd ",":=W\u001f\u001fd","ykl &3","7~E]*.h","^]~SRg","L}$jEQ","&^3s.1","n<*;JW","gp^q3q","8K\\{Q5","o)3^e0","28{POn","z.2Od|;","h&)4;BbS","J=oF>O7","g-n5pl&","<+?_l8","P\\QoihPzo","'GrXn>","bis~Cq9","nIwmQ/mKv:","V>{onu","+v^}uU",";vJQdpD-","Gc[k\u001f3","iER4lc",".o0Z\\`","ki*XJaq","kPxDga'Gp]","cC-5|Q","CFC;WnvW","%OLGFl^","MlV/3T}K","\u001fz9m=w","_($_z)r","lJz,Fw","NLN|\u001fl'","!j&'F9","O_1UY~;`","-r_6HJv","b`q\\x\\dq","{h}\\a%",">~9W3J","ffV,6H","Y6(qJV","xsCx=U","_bq\u001fiq","mzEtq{","vD#o3K","TSilz\"a","<h HT","0hnj+g(","\u001f@;aBk","0KN'@ X","5frU7R","W2K?\\U","YTdo/-","J7yepb","8q-h-y","j`<z^(8","q}@DhHC$","F8!u$1-","q[nnO&J","Y<?^({","-<+qC(","k #U\\4h","|FN-/^","PDgbzL","FnB:W'","~v:Us&","$j]X:t","M)E7ZK0","7L{Si^H","T|QW5m","IJ^'A1R<","7cpF.#","thmuo)","tQ@1?\u001f","?3_\u001f.i/","(j9:-^","h,3pxp","UI\"^gE",")el=6Dl7",";U%}nQojL","%Lz4p+","m1d2xJ EO","^? CNt$","A-H`n#","qFaw$Q","&?8q)Y","bWI7.-","GSVW w","N`l~?E","\\^~rs{:",">{yN,L:m","w}QrU=D","chg1xI","xgi?kq","`%hx4d",")uj| |","lX=BXU","odzxo I","B`<qoM","J)zqoN","*Ix,93","kr~J-c","6hL[QTr","@^]mFP","Y'LflI","rCIAJh","+\\&zLbgNu","ilU=}L]","&I!qC@w","(|'zp[","A^^\\lV","Ye(36#8","(_5C+D","Ya\"pN#","gV[A=9","j{e S4","eiipak","-%OSY@","jBr\\a~","f,MF*S","t*K6X]","KdBA&'","q7#AN+",">c:BTV[",",o$#s9","it9\\PST","DQY>3G<","tSW\"6\u001f","?+uN~;o","><^]+w","egi+fU","-@M^Nt","bK'nZX","?p<+=hZ","?96j[Eh","ttYo%$","&9}_hm'x","k4z7#8","p:->%[","e#B@idEo",".o&~Fh}XSCK","]IV`KQ/[","~eC(/{d","\\Gx:*i.","-\\/_2f>","8U0 ACJ","+ID%GWd7","zv2>N)","Up@xk17","t$t#t$l","D$t#D$h","D$t+D$\\",".)D$H)","s`)L$4","D$t+D$\\","\u001f)D$H)","9l$\\w_","XPTPSW","wwwwwww","KERNEL32.DLL","msvcrt.dll","LoadLibraryA","GetProcAddress","VirtualProtect","VirtualAlloc","VirtualFree","ExitProcess","IDI_MAIN_ICON"],"target":{"category":"file","file":{"crc32":"33F8BB85","md5":"9fbdc5eca123e81571e8966b9b4e4a1e","name":"Win32.DarkTequila.exe","path":"/home/jean/.cuckoo/storage/binaries/dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47","sha1":"7a5b7c5378e0afcc77098a87358e4f6a032d3b00","sha256":"dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47","sha512":"13aa9eb138a716ce9b5e90806c34b5b724a0be78bb747a50b28e9c48e6eed317ff0b46652dc1fcabb973d6a6a5e3a770eea85cfd8b5a0e723f58f4edce2bdd9e","size":877568,"ssdeep":null,"type":"PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed","urls":[],"yara":[{"meta":{"description":"(no description)"},"name":"loki","offsets":{"var1":[[91,0]]},"strings":["Y2Fubm90"]}]}},"virustotal":{"md5":"9fbdc5eca123e81571e8966b9b4e4a1e","normalized":["AIDetectVM","malware2","malicious","high confidence","score","Dynamer","GenericRXAA","Unsafe","Kryptik","DarkTequila","Graftor","TSPY","Eldorado","DarkTeq","Bancos","dyfxok","Gencirc","EBT@611gnb","XPACK","Gen3","DownLoader17","cobra","R + W32","Crastic","Static AI","Suspicious PE","Strictor","ai score=100","SGeneric","Mydoom","trya","BScope","EBTT","x7t89GcJVs8","Genetic","confidence","100%"],"permalink":"https://www.virustotal.com/gui/file/dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47/detection/f-dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47-1605577853","positives":62,"resource":"9fbdc5eca123e81571e8966b9b4e4a1e","response_code":1,"scan_date":"2020-11-17 01:50:53","scan_id":"dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47-1605577853","scans":{"ALYac":{"detected":true,"normalized":["DarkTequila"],"result":"Trojan.Agent.DarkTequila","update":"20201116","version":"1.1.1.5"},"APEX":{"detected":true,"normalized":["Malicious"],"result":"Malicious","update":"20201116","version":"6.98"},"AVG":{"detected":true,"normalized":[],"result":"Win32:Malware-gen","update":"20201117","version":"20.10.5736.0"},"Acronis":{"detected":true,"normalized":[],"result":"suspicious","update":"20201023","version":"1.1.1.80"},"Ad-Aware":{"detected":true,"normalized":["Graftor"],"result":"Gen:Variant.Graftor.129365","update":"20201117","version":"3.0.16.117"},"AegisLab":{"detected":true,"normalized":["DarkTequila","trya"],"result":"Trojan.Win32.DarkTequila.trya","update":"20201117","version":"4.2"},"AhnLab-V3":{"detected":true,"normalized":[],"result":"Trojan/Win32.HDC.C138160","update":"20201116","version":"3.19.1.10100"},"Alibaba":{"detected":true,"normalized":["DarkTequila"],"result":"Worm:Win32/DarkTequila.7550016f","update":"20190527","version":"0.3.0.5"},"Antiy-AVL":{"detected":true,"normalized":["SGeneric"],"result":"Trojan/Win32.SGeneric","update":"20201116","version":"3.0.0.1"},"Arcabit":{"detected":true,"normalized":["Graftor"],"result":"Trojan.Graftor.D1F955","update":"20201116","version":"1.0.0.881"},"Avast":{"detected":true,"normalized":[],"result":"Win32:Malware-gen","update":"20201117","version":"20.10.5736.0"},"Avira":{"detected":true,"normalized":["XPACK","Gen3"],"result":"TR/Crypt.XPACK.Gen3","update":"20201116","version":"8.3.3.8"},"Baidu":{"detected":false,"normalized":[],"result":null,"update":"20190318","version":"1.0.0.2"},"BitDefender":{"detected":true,"normalized":["Graftor"],"result":"Gen:Variant.Graftor.129365","update":"20201116","version":"7.2"},"BitDefenderTheta":{"detected":true,"normalized":[],"result":"AI:Packer.519AA5961F","update":"20201113","version":"7.2.37796.0"},"Bkav":{"detected":true,"normalized":["AIDetectVM","malware2"],"result":"W32.AIDetectVM.malware2","update":"20201116","version":"1.3.0.9899"},"CAT-QuickHeal":{"detected":true,"normalized":["Dynamer"],"result":"Trojan.Dynamer.8198","update":"20201116","version":"14.00"},"CMC":{"detected":false,"normalized":[],"result":null,"update":"20201116","version":"2.7.2019.1"},"ClamAV":{"detected":false,"normalized":[],"result":null,"update":"20201116","version":"0.102.3.0"},"Comodo":{"detected":true,"normalized":["EBT@611gnb"],"result":"TrojWare.Win32.Crypt.EBT@611gnb","update":"20201116","version":"32996"},"CrowdStrike":{"detected":true,"normalized":["malicious","confidence","100%"],"result":"win/malicious_confidence_100% (W)","update":"20190702","version":"1.0"},"Cybereason":{"detected":true,"normalized":["malicious"],"result":"malicious.ca123e","update":"20190616","version":"1.2.449"},"Cylance":{"detected":true,"normalized":["Unsafe"],"result":"Unsafe","update":"20201117","version":"2.3.1.101"},"Cynet":{"detected":true,"normalized":["Malicious","score"],"result":"Malicious (score: 100)","update":"20201115","version":"4.0.0.24"},"Cyren":{"detected":true,"normalized":["Eldorado"],"result":"W32/S-91f5258d!Eldorado","update":"20201116","version":"6.3.0.2"},"DrWeb":{"detected":true,"normalized":["DownLoader17"],"result":"Trojan.DownLoader17.30288","update":"20201116","version":"7.0.49.9080"},"ESET-NOD32":{"detected":true,"normalized":["Kryptik","EBTT"],"result":"a variant of Win32/Kryptik.EBTT","update":"20201117","version":"22331"},"Elastic":{"detected":true,"normalized":["malicious","high confidence"],"result":"malicious (high confidence)","update":"20201030","version":"4.0.12"},"Emsisoft":{"detected":true,"normalized":["Graftor"],"result":"Gen:Variant.Graftor.129365 (B)","update":"20201116","version":"2018.12.0.1641"},"F-Secure":{"detected":true,"normalized":["XPACK","Gen3"],"result":"Trojan.TR/Crypt.XPACK.Gen3","update":"20201116","version":"12.0.86.52"},"FireEye":{"detected":true,"normalized":[],"result":"Generic.mg.9fbdc5eca123e815","update":"20201116","version":"32.36.1.0"},"Fortinet":{"detected":true,"normalized":["Kryptik","EBTT"],"result":"W32/Kryptik.EBTT!tr","update":"20201116","version":"6.2.142.0"},"GData":{"detected":true,"normalized":["Graftor"],"result":"Gen:Variant.Graftor.129365","update":"20201117","version":"A:25.27695B:27.20909"},"Gridinsoft":{"detected":true,"normalized":["Mydoom"],"result":"Worm.Win32.Mydoom.ka!i","update":"20201116","version":"1.0.17.106"},"Ikarus":{"detected":true,"normalized":[],"result":"Trojan.Win32.Crypt","update":"20201116","version":"0.1.5.2"},"Invincea":{"detected":true,"normalized":["R + W32","Crastic"],"result":"Mal/Generic-R + W32/Crastic-A","update":"20201117","version":"1.0.2.0"},"Jiangmin":{"detected":true,"normalized":["Strictor"],"result":"Variant.Strictor.h","update":"20201116","version":"16.0.100"},"K7AntiVirus":{"detected":true,"normalized":[],"result":"Trojan ( 0004a2ea1 )","update":"20201116","version":"11.150.35741"},"K7GW":{"detected":true,"normalized":[],"result":"Trojan ( 0004a2ea1 )","update":"20201116","version":"11.150.35742"},"Kaspersky":{"detected":true,"normalized":["DarkTequila"],"result":"Trojan.Win32.DarkTequila.d","update":"20201117","version":"15.0.1.13"},"Kingsoft":{"detected":false,"normalized":[],"result":null,"update":"20201117","version":"2013.8.14.323"},"MAX":{"detected":true,"normalized":["ai score=100"],"result":"malware (ai score=100)","update":"20201117","version":"2019.9.16.1"},"Malwarebytes":{"detected":true,"normalized":[],"result":"Trojan.Downloader.FB","update":"20201117","version":"3.6.4.335"},"MaxSecure":{"detected":false,"normalized":[],"result":null,"update":"20201116","version":"1.0.0.1"},"McAfee":{"detected":true,"normalized":["GenericRXAA"],"result":"GenericRXAA-FA!9FBDC5ECA123","update":"20201116","version":"6.0.6.653"},"McAfee-GW-Edition":{"detected":true,"normalized":[],"result":"BehavesLike.Win32.Generic.cc","update":"20201116","version":"v2019.1.2+3728"},"MicroWorld-eScan":{"detected":true,"normalized":["Graftor"],"result":"Gen:Variant.Graftor.129365","update":"20201116","version":"14.0.409.0"},"Microsoft":{"detected":true,"normalized":["Crastic"],"result":"Worm:Win32/Crastic!rfn","update":"20201116","version":"1.1.17600.5"},"NANO-Antivirus":{"detected":true,"normalized":["dyfxok"],"result":"Trojan.Win32.Dwn.dyfxok","update":"20201116","version":"1.0.146.25233"},"Paloalto":{"detected":true,"normalized":[],"result":"generic.ml","update":"20201117","version":"1.0"},"Panda":{"detected":true,"normalized":["Genetic"],"result":"Trj/Genetic.gen","update":"20201116","version":"4.6.4.2"},"Qihoo-360":{"detected":true,"normalized":[],"result":"Win32/Trojan.160","update":"20201117","version":"1.0.0.1120"},"Rising":{"detected":false,"normalized":[],"result":null,"update":"20201117","version":"25.0.0.26"},"SUPERAntiSpyware":{"detected":false,"normalized":[],"result":null,"update":"20201113","version":"5.6.0.1032"},"Sangfor":{"detected":true,"normalized":[],"result":"Malware","update":"20201116","version":"1.0"},"SentinelOne":{"detected":true,"normalized":["Static AI","Suspicious PE"],"result":"Static AI - Suspicious PE","update":"20201105","version":"4.7.0.18"},"Sophos":{"detected":true,"normalized":["Crastic"],"result":"W32/Crastic-A","update":"20201117","version":"4.98.0"},"Symantec":{"detected":true,"normalized":["DarkTeq"],"result":"Backdoor.DarkTeq","update":"20201116","version":"1.13.0.0"},"TACHYON":{"detected":false,"normalized":[],"result":null,"update":"20201117","version":"2020-11-17.01"},"Tencent":{"detected":true,"normalized":["Gencirc"],"result":"Malware.Win32.Gencirc.10b3f5ed","update":"20201117","version":"1.0.0.1"},"TotalDefense":{"detected":true,"normalized":["Bancos"],"result":"Win32/Bancos_i","update":"20201117","version":"37.1.62.1"},"TrendMicro":{"detected":true,"normalized":["TSPY","DARKTEQUILA"],"result":"TSPY_DARKTEQUILA.A","update":"20201117","version":"11.0.0.1006"},"TrendMicro-HouseCall":{"detected":true,"normalized":["TSPY","DARKTEQUILA"],"result":"TSPY_DARKTEQUILA.A","update":"20201117","version":"10.0.0.1040"},"VBA32":{"detected":true,"normalized":["BScope"],"result":"BScope.Worm.Autorun","update":"20201116","version":"4.4.1"},"VIPRE":{"detected":true,"normalized":["cobra"],"result":"Trojan.Win32.Generic.pak!cobra","update":"20201117","version":"88258"},"ViRobot":{"detected":false,"normalized":[],"result":null,"update":"20201116","version":"2014.3.20.0"},"Webroot":{"detected":true,"normalized":[],"result":"W32.Trojan.Gen","update":"20201117","version":"1.0.0.403"},"Yandex":{"detected":true,"normalized":["Kryptik","x7t89GcJVs8"],"result":"Trojan.Kryptik!x7t89GcJVs8","update":"20201114","version":"5.5.2.24"},"Zillya":{"detected":true,"normalized":["Kryptik"],"result":"Trojan.Kryptik.Win32.820724","update":"20201116","version":"2.0.0.4223"},"ZoneAlarm":{"detected":true,"normalized":["DarkTequila"],"result":"Trojan.Win32.DarkTequila.d","update":"20201117","version":"1.0"},"Zoner":{"detected":false,"normalized":[],"result":null,"update":"20201116","version":"0.0.0.0"},"eGambit":{"detected":true,"normalized":["Unsafe","Score"],"result":"Unsafe.AI_Score_64%","update":"20201117","version":null}},"sha1":"7a5b7c5378e0afcc77098a87358e4f6a032d3b00","sha256":"dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47","summary":{"permalink":"https://www.virustotal.com/gui/file/dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47/detection/f-dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47-1605577853","positives":62,"scan_date":"2020-11-17 01:50:53"},"total":72,"verbose_msg":"Scan finished, information embedded"}}
+{
+ "behavior": {
+ "apistats": {
+ "1952": {
+ "CoCreateInstance": 2,
+ "CoGetClassObject": 4,
+ "CoInitializeEx": 1,
+ "CoInitializeSecurity": 1,
+ "CoUninitialize": 1,
+ "GetFileInformationByHandle": 2,
+ "GetFileSize": 4,
+ "GetSystemDirectoryW": 3,
+ "GetSystemInfo": 3,
+ "GetSystemTimeAsFileTime": 14,
+ "LdrGetDllHandle": 8,
+ "LdrGetProcedureAddress": 39,
+ "LdrLoadDll": 9,
+ "LdrUnloadDll": 2,
+ "NtAllocateVirtualMemory": 16,
+ "NtClose": 58,
+ "NtCreateFile": 5,
+ "NtCreateSection": 4,
+ "NtDuplicateObject": 2,
+ "NtFreeVirtualMemory": 6,
+ "NtMapViewOfSection": 4,
+ "NtOpenDirectoryObject": 1,
+ "NtOpenFile": 1,
+ "NtOpenKey": 3,
+ "NtOpenKeyEx": 91,
+ "NtOpenProcess": 2,
+ "NtProtectVirtualMemory": 2,
+ "NtQueryKey": 99,
+ "NtQuerySystemInformation": 1,
+ "NtQueryValueKey": 39,
+ "NtReadFile": 86,
+ "NtTerminateProcess": 3,
+ "NtUnmapViewOfSection": 6,
+ "RegCloseKey": 71,
+ "RegCreateKeyExW": 1,
+ "RegEnumKeyW": 6,
+ "RegQueryValueExW": 3,
+ "SetFilePointer": 108,
+ "SetUnhandledExceptionFilter": 1
+ },
+ "2976": {
+ "CoCreateInstance": 2,
+ "CoUninitialize": 1,
+ "CreateActCtxW": 2,
+ "CreateProcessInternalW": 1,
+ "CreateServiceA": 1,
+ "CreateThread": 3,
+ "CreateToolhelp32Snapshot": 1,
+ "CryptAcquireContextA": 1,
+ "CryptCreateHash": 1,
+ "CryptHashData": 3,
+ "DeviceIoControl": 2,
+ "FindFirstFileExW": 4,
+ "FindWindowA": 4,
+ "GetFileAttributesW": 1,
+ "GetNativeSystemInfo": 4,
+ "GetSystemDirectoryW": 4,
+ "GetSystemInfo": 3,
+ "GetSystemTimeAsFileTime": 6,
+ "GetSystemWindowsDirectoryA": 6,
+ "GetSystemWindowsDirectoryW": 7,
+ "GetVolumeNameForVolumeMountPointW": 3,
+ "GetVolumePathNamesForVolumeNameW": 8,
+ "GlobalMemoryStatusEx": 1,
+ "LdrGetDllHandle": 33,
+ "LdrGetProcedureAddress": 306,
+ "LdrLoadDll": 31,
+ "LdrUnloadDll": 4,
+ "LoadStringW": 2,
+ "LookupPrivilegeValueW": 4,
+ "Module32FirstW": 1,
+ "Module32NextW": 21,
+ "NtAllocateVirtualMemory": 50,
+ "NtClose": 230,
+ "NtCreateFile": 12,
+ "NtCreateMutant": 5,
+ "NtCreateSection": 6,
+ "NtDelayExecution": 1,
+ "NtDeviceIoControlFile": 1,
+ "NtDuplicateObject": 4,
+ "NtFreeVirtualMemory": 17,
+ "NtGetContextThread": 1,
+ "NtMapViewOfSection": 6,
+ "NtOpenDirectoryObject": 1,
+ "NtOpenFile": 2,
+ "NtOpenKey": 14,
+ "NtOpenKeyEx": 159,
+ "NtOpenProcess": 4,
+ "NtProtectVirtualMemory": 47,
+ "NtQueryAttributesFile": 2,
+ "NtQueryDirectoryFile": 71,
+ "NtQueryInformationFile": 3,
+ "NtQueryKey": 144,
+ "NtQuerySystemInformation": 1,
+ "NtQueryValueKey": 113,
+ "NtReadFile": 1,
+ "NtTerminateProcess": 3,
+ "NtUnmapViewOfSection": 10,
+ "NtWriteFile": 1,
+ "OleInitialize": 1,
+ "OpenSCManagerA": 2,
+ "OpenServiceA": 3,
+ "RegCloseKey": 26,
+ "RegCreateKeyExA": 4,
+ "RegEnumKeyW": 18,
+ "RegOpenKeyExA": 14,
+ "RegOpenKeyExW": 14,
+ "RegQueryValueExA": 9,
+ "RegQueryValueExW": 20,
+ "RegSetValueExA": 15,
+ "SetErrorMode": 9,
+ "SetFileAttributesW": 2,
+ "SetFilePointer": 1,
+ "SetFilePointerEx": 1,
+ "SetUnhandledExceptionFilter": 5,
+ "ShellExecuteExW": 2,
+ "StartServiceA": 1,
+ "__exception__": 5
+ }
+ },
+ "generic": [
+ {
+ "first_seen": 1606943649.755751,
+ "pid": 1952,
+ "ppid": 2976,
+ "process_name": "firefox.exe",
+ "process_path": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
+ "summary": {
+ "dll_loaded": [
+ "ntmarta.dll",
+ "C:\\Windows\\system32\\IMM32.DLL",
+ "api-ms-win-appmodel-runtime-l1-1-2",
+ "C:\\Windows\\system32\\actxprxy.dll",
+ "gdi32.dll",
+ "OLEAUT32",
+ "OLEAUT32.dll",
+ "C:\\Program Files\\Internet Explorer\\ieproxy.dll",
+ "ole32.dll"
+ ],
+ "file_opened": [
+ "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
+ "C:\\Windows\\System32\\stdole2.tlb",
+ "C:\\Windows\\System32\\shell32.dll",
+ "C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe"
+ ],
+ "file_read": [
+ "C:\\Windows\\System32\\stdole2.tlb",
+ "C:\\Windows\\System32\\shell32.dll"
+ ],
+ "guid": [
+ "{00000320-0000-0000-c000-000000000046}",
+ "{0000015b-0000-0000-c000-000000000046}",
+ "{00020420-0000-0000-c000-000000000046}",
+ "{9ba05972-f6a8-11cf-a442-00a0c90a8f39}",
+ "{85cb6900-4d95-11cf-960c-0080c7f4ee85}",
+ "{d5f569d0-593b-101a-b569-08002b2dbf7a}",
+ "{0000034b-0000-0000-c000-000000000046}"
+ ],
+ "regkey_opened": [
+ "HKEY_CURRENT_USER\\SOFTWARE\\Mozilla\\Firefox\\Launcher"
+ ],
+ "regkey_read": [
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\ThreadingModel",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\InprocServer32",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\ThreadingModel",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\Version",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\Windows\\LoadAppInit_DLLs",
+ "HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Browser",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\IPv4LoopbackAlternative",
+ "HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Launcher",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\InprocServer32",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\Version",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}\\ProxyStubClsid32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\(Default)",
+ "HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Image",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles"
+ ]
+ }
+ },
+ {
+ "first_seen": 1606943648.427626,
+ "pid": 2976,
+ "ppid": 3028,
+ "process_name": "Win32.DarkTequila.exe",
+ "process_path": "C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe",
+ "summary": {
+ "command_line": [
+ "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"",
+ "http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974"
+ ],
+ "directory_enumerated": [
+ "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "C:\\Windows\\SysWOW64",
+ "C:\\Windows",
+ "C:\\Windows\\SysWOW64\\*.*"
+ ],
+ "dll_loaded": [
+ "ADVAPI32.dll",
+ "C:\\Windows\\system32\\IMM32.DLL",
+ "wpcap.dll",
+ "api-ms-win-downlevel-advapi32-l1-1-0.dll",
+ "urlmon.dll",
+ "api-ms-win-downlevel-ole32-l1-1-0.dll",
+ "PROPSYS.dll",
+ "apphelp.dll",
+ "gdi32.dll",
+ "Shell32.dll",
+ "KERNEL32.DLL",
+ "msvcrt.dll",
+ "OLEAUT32.dll",
+ "api-ms-win-downlevel-shlwapi-l2-1-0.dll",
+ "advapi32.dll",
+ "API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
+ "Ole32.dll",
+ "SETUPAPI.dll",
+ "CRYPTSP.dll",
+ "ole32.dll",
+ "comctl32.dll"
+ ],
+ "file_created": ["c:\\Windows\\csrss.dll"],
+ "file_exists": ["C:\\Windows\\SysWOW64\\ieframe.dll"],
+ "file_opened": [
+ "C:\\Windows\\AppPatch\\sysmain.sdb",
+ "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "C:\\Windows\\SysWOW64\\",
+ "\\??\\c:",
+ "\\??\\PhysicalDrive0",
+ "C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui"
+ ],
+ "file_read": ["C:\\Windows\\SysWOW64\\ieframe.dll"],
+ "file_recreated": ["\\??\\C:"],
+ "file_written": ["c:\\Windows\\csrss.dll"],
+ "guid": [
+ "{76765b11-3f95-4af2-ac9d-ea55d8994f1a}",
+ "{00000000-0000-0000-c000-000000000046}",
+ "{871c5380-42a0-1069-a2ea-08002b30309d}",
+ "{000214e6-0000-0000-c000-000000000046}"
+ ],
+ "mutex": ["Global\\F42B8ED47C41A7A135BDA00457587C507BC99875"],
+ "regkey_opened": [
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\Select",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\Tcpip\\Parameters",
+ "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
+ "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters",
+ "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
+ "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography",
+ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main",
+ "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main",
+ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
+ "HKEY_CLASSES_ROOT\\CLSID\\{D27CDB6E-AE6D-11cf-96B8-444553540000}",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
+ "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
+ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
+ ],
+ "regkey_read": [
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\Progid",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Data",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameTabWindow",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)",
+ "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPEnable",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Generation",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\LastKnownGood",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\SessionMerging",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableBpc",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Data",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
+ "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameMerging",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\AdminTabProcs",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameMerging",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\Tcpip\\Parameters\\EnableBpc",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CMF\\Config\\SYSTEM",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum",
+ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Generation",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Cryptography\\MachineGuid",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth",
+ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\SessionMerging",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Generation",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPSampledIn",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes",
+ "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Setup\\SourcePath",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Data",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache"
+ ],
+ "regkey_written": [
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\WOW64",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Type",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Start",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ObjectName",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\Wcsrss",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\DisplayName",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ImagePath",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Description",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ErrorControl",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\WOW64"
+ ]
+ }
+ },
+ {
+ "first_seen": 1606943609.640625,
+ "pid": 500,
+ "ppid": 384,
+ "process_name": "lsass.exe",
+ "process_path": "C:\\Windows\\System32\\lsass.exe",
+ "summary": {}
+ }
+ ],
+ "processes": [
+ {
+ "calls": [],
+ "command_line": "C:\\Windows\\system32\\lsass.exe",
+ "first_seen": 1606943609.640625,
+ "modules": [
+ {
+ "baseaddr": "0xff020000",
+ "basename": "lsass.exe",
+ "filepath": "C:\\Windows\\system32\\lsass.exe",
+ "imgsize": 49152
+ },
+ {
+ "baseaddr": "0x777e0000",
+ "basename": "ntdll.dll",
+ "filepath": "C:\\Windows\\SYSTEM32\\ntdll.dll",
+ "imgsize": 1744896
+ },
+ {
+ "baseaddr": "0x775c0000",
+ "basename": "kernel32.dll",
+ "filepath": "C:\\Windows\\system32\\kernel32.dll",
+ "imgsize": 1175552
+ },
+ {
+ "baseaddr": "0x7fefd5b0000",
+ "basename": "KERNELBASE.dll",
+ "filepath": "C:\\Windows\\system32\\KERNELBASE.dll",
+ "imgsize": 434176
+ },
+ {
+ "baseaddr": "0x7fefe0f0000",
+ "basename": "msvcrt.dll",
+ "filepath": "C:\\Windows\\system32\\msvcrt.dll",
+ "imgsize": 651264
+ },
+ {
+ "baseaddr": "0x7feff660000",
+ "basename": "RPCRT4.dll",
+ "filepath": "C:\\Windows\\system32\\RPCRT4.dll",
+ "imgsize": 1232896
+ },
+ {
+ "baseaddr": "0x7fefd290000",
+ "basename": "SspiSrv.dll",
+ "filepath": "C:\\Windows\\system32\\SspiSrv.dll",
+ "imgsize": 45056
+ },
+ {
+ "baseaddr": "0x7fefd0e0000",
+ "basename": "lsasrv.dll",
+ "filepath": "C:\\Windows\\system32\\lsasrv.dll",
+ "imgsize": 1482752
+ },
+ {
+ "baseaddr": "0x7feff350000",
+ "basename": "sechost.dll",
+ "filepath": "C:\\Windows\\SYSTEM32\\sechost.dll",
+ "imgsize": 126976
+ },
+ {
+ "baseaddr": "0x7fefd2a0000",
+ "basename": "SspiCli.dll",
+ "filepath": "C:\\Windows\\system32\\SspiCli.dll",
+ "imgsize": 151552
+ },
+ {
+ "baseaddr": "0x7feff3f0000",
+ "basename": "ADVAPI32.dll",
+ "filepath": "C:\\Windows\\system32\\ADVAPI32.dll",
+ "imgsize": 897024
+ },
+ {
+ "baseaddr": "0x776e0000",
+ "basename": "USER32.dll",
+ "filepath": "C:\\Windows\\system32\\USER32.dll",
+ "imgsize": 1024000
+ },
+ {
+ "baseaddr": "0x7fefdf40000",
+ "basename": "GDI32.dll",
+ "filepath": "C:\\Windows\\system32\\GDI32.dll",
+ "imgsize": 421888
+ },
+ {
+ "baseaddr": "0x7feff340000",
+ "basename": "LPK.dll",
+ "filepath": "C:\\Windows\\system32\\LPK.dll",
+ "imgsize": 57344
+ },
+ {
+ "baseaddr": "0x7fefda90000",
+ "basename": "USP10.dll",
+ "filepath": "C:\\Windows\\system32\\USP10.dll",
+ "imgsize": 831488
+ },
+ {
+ "baseaddr": "0x7fefcf60000",
+ "basename": "SAMSRV.dll",
+ "filepath": "C:\\Windows\\system32\\SAMSRV.dll",
+ "imgsize": 790528
+ },
+ {
+ "baseaddr": "0x7fefcf40000",
+ "basename": "cryptdll.dll",
+ "filepath": "C:\\Windows\\system32\\cryptdll.dll",
+ "imgsize": 81920
+ },
+ {
+ "baseaddr": "0x7fefd4e0000",
+ "basename": "MSASN1.dll",
+ "filepath": "C:\\Windows\\system32\\MSASN1.dll",
+ "imgsize": 61440
+ },
+ {
+ "baseaddr": "0x7fefced0000",
+ "basename": "wevtapi.dll",
+ "filepath": "C:\\Windows\\system32\\wevtapi.dll",
+ "imgsize": 446464
+ },
+ {
+ "baseaddr": "0x7feff1f0000",
+ "basename": "IMM32.DLL",
+ "filepath": "C:\\Windows\\system32\\IMM32.DLL",
+ "imgsize": 188416
+ },
+ {
+ "baseaddr": "0x7feff220000",
+ "basename": "MSCTF.dll",
+ "filepath": "C:\\Windows\\system32\\MSCTF.dll",
+ "imgsize": 1085440
+ },
+ {
+ "baseaddr": "0x7fefcec0000",
+ "basename": "cngaudit.dll",
+ "filepath": "C:\\Windows\\system32\\cngaudit.dll",
+ "imgsize": 36864
+ },
+ {
+ "baseaddr": "0x7fefce90000",
+ "basename": "AUTHZ.dll",
+ "filepath": "C:\\Windows\\system32\\AUTHZ.dll",
+ "imgsize": 192512
+ },
+ {
+ "baseaddr": "0x7fefce40000",
+ "basename": "ncrypt.dll",
+ "filepath": "C:\\Windows\\system32\\ncrypt.dll",
+ "imgsize": 327680
+ },
+ {
+ "baseaddr": "0x7fefce10000",
+ "basename": "bcrypt.dll",
+ "filepath": "C:\\Windows\\system32\\bcrypt.dll",
+ "imgsize": 139264
+ },
+ {
+ "baseaddr": "0x75240000",
+ "basename": "msprivs.DLL",
+ "filepath": "C:\\Windows\\system32\\msprivs.DLL",
+ "imgsize": 8192
+ },
+ {
+ "baseaddr": "0x7fefcdd0000",
+ "basename": "netjoin.dll",
+ "filepath": "C:\\Windows\\system32\\netjoin.dll",
+ "imgsize": 204800
+ },
+ {
+ "baseaddr": "0x7fefcda0000",
+ "basename": "negoexts.DLL",
+ "filepath": "C:\\Windows\\system32\\negoexts.DLL",
+ "imgsize": 147456
+ },
+ {
+ "baseaddr": "0x7fefd250000",
+ "basename": "Secur32.dll",
+ "filepath": "C:\\Windows\\system32\\Secur32.dll",
+ "imgsize": 45056
+ },
+ {
+ "baseaddr": "0x7fefd330000",
+ "basename": "cryptbase.dll",
+ "filepath": "C:\\Windows\\system32\\cryptbase.dll",
+ "imgsize": 61440
+ },
+ {
+ "baseaddr": "0x7fefcce0000",
+ "basename": "kerberos.DLL",
+ "filepath": "C:\\Windows\\system32\\kerberos.DLL",
+ "imgsize": 753664
+ },
+ {
+ "baseaddr": "0x7fefccc0000",
+ "basename": "CRYPTSP.dll",
+ "filepath": "C:\\Windows\\system32\\CRYPTSP.dll",
+ "imgsize": 98304
+ },
+ {
+ "baseaddr": "0x7fefdb60000",
+ "basename": "WS2_32.dll",
+ "filepath": "C:\\Windows\\system32\\WS2_32.dll",
+ "imgsize": 315392
+ },
+ {
+ "baseaddr": "0x7feff330000",
+ "basename": "NSI.dll",
+ "filepath": "C:\\Windows\\system32\\NSI.dll",
+ "imgsize": 32768
+ },
+ {
+ "baseaddr": "0x7fefcc60000",
+ "basename": "mswsock.dll",
+ "filepath": "C:\\Windows\\system32\\mswsock.dll",
+ "imgsize": 348160
+ },
+ {
+ "baseaddr": "0x7fefcc50000",
+ "basename": "wship6.dll",
+ "filepath": "C:\\Windows\\System32\\wship6.dll",
+ "imgsize": 28672
+ },
+ {
+ "baseaddr": "0x7fefcbf0000",
+ "basename": "msv1_0.DLL",
+ "filepath": "C:\\Windows\\system32\\msv1_0.DLL",
+ "imgsize": 335872
+ },
+ {
+ "baseaddr": "0x7fefcb40000",
+ "basename": "netlogon.DLL",
+ "filepath": "C:\\Windows\\system32\\netlogon.DLL",
+ "imgsize": 712704
+ },
+ {
+ "baseaddr": "0x7fefcae0000",
+ "basename": "DNSAPI.dll",
+ "filepath": "C:\\Windows\\system32\\DNSAPI.dll",
+ "imgsize": 372736
+ },
+ {
+ "baseaddr": "0x7fefcab0000",
+ "basename": "logoncli.dll",
+ "filepath": "C:\\Windows\\system32\\logoncli.dll",
+ "imgsize": 196608
+ },
+ {
+ "baseaddr": "0x7fefca50000",
+ "basename": "schannel.DLL",
+ "filepath": "C:\\Windows\\system32\\schannel.DLL",
+ "imgsize": 360448
+ },
+ {
+ "baseaddr": "0x7fefd660000",
+ "basename": "CRYPT32.dll",
+ "filepath": "C:\\Windows\\system32\\CRYPT32.dll",
+ "imgsize": 1495040
+ },
+ {
+ "baseaddr": "0x7fefca10000",
+ "basename": "wdigest.DLL",
+ "filepath": "C:\\Windows\\system32\\wdigest.DLL",
+ "imgsize": 221184
+ },
+ {
+ "baseaddr": "0x7fefc9c0000",
+ "basename": "rsaenh.dll",
+ "filepath": "C:\\Windows\\system32\\rsaenh.dll",
+ "imgsize": 290816
+ },
+ {
+ "baseaddr": "0x7fefc9a0000",
+ "basename": "tspkg.DLL",
+ "filepath": "C:\\Windows\\system32\\tspkg.DLL",
+ "imgsize": 102400
+ },
+ {
+ "baseaddr": "0x7fefc950000",
+ "basename": "pku2u.DLL",
+ "filepath": "C:\\Windows\\system32\\pku2u.DLL",
+ "imgsize": 282624
+ },
+ {
+ "baseaddr": "0x7fefc900000",
+ "basename": "bcryptprimitives.dll",
+ "filepath": "C:\\Windows\\system32\\bcryptprimitives.dll",
+ "imgsize": 311296
+ },
+ {
+ "baseaddr": "0x7fefd420000",
+ "basename": "RpcRtRemote.dll",
+ "filepath": "C:\\Windows\\system32\\RpcRtRemote.dll",
+ "imgsize": 81920
+ },
+ {
+ "baseaddr": "0x7fefc8e0000",
+ "basename": "efslsaext.dll",
+ "filepath": "C:\\Windows\\system32\\efslsaext.dll",
+ "imgsize": 73728
+ },
+ {
+ "baseaddr": "0x7fefc8a0000",
+ "basename": "scecli.DLL",
+ "filepath": "C:\\Windows\\system32\\scecli.DLL",
+ "imgsize": 253952
+ },
+ {
+ "baseaddr": "0x7fefc890000",
+ "basename": "credssp.dll",
+ "filepath": "C:\\Windows\\system32\\credssp.dll",
+ "imgsize": 40960
+ },
+ {
+ "baseaddr": "0x7fefd340000",
+ "basename": "WINSTA.dll",
+ "filepath": "C:\\Windows\\system32\\WINSTA.dll",
+ "imgsize": 249856
+ },
+ {
+ "baseaddr": "0x7fefc700000",
+ "basename": "IPHLPAPI.DLL",
+ "filepath": "C:\\Windows\\system32\\IPHLPAPI.DLL",
+ "imgsize": 159744
+ },
+ {
+ "baseaddr": "0x7fefc6f0000",
+ "basename": "WINNSI.DLL",
+ "filepath": "C:\\Windows\\system32\\WINNSI.DLL",
+ "imgsize": 45056
+ },
+ {
+ "baseaddr": "0x7fefb0d0000",
+ "basename": "netutils.dll",
+ "filepath": "C:\\Windows\\system32\\netutils.dll",
+ "imgsize": 49152
+ },
+ {
+ "baseaddr": "0x7fefb0b0000",
+ "basename": "wkscli.dll",
+ "filepath": "C:\\Windows\\system32\\wkscli.dll",
+ "imgsize": 86016
+ },
+ {
+ "baseaddr": "0x7fefd630000",
+ "basename": "USERENV.dll",
+ "filepath": "C:\\Windows\\system32\\USERENV.dll",
+ "imgsize": 122880
+ },
+ {
+ "baseaddr": "0x7fefd4d0000",
+ "basename": "profapi.dll",
+ "filepath": "C:\\Windows\\system32\\profapi.dll",
+ "imgsize": 61440
+ },
+ {
+ "baseaddr": "0x7fefc5c0000",
+ "basename": "wshtcpip.dll",
+ "filepath": "C:\\Windows\\System32\\wshtcpip.dll",
+ "imgsize": 28672
+ },
+ {
+ "baseaddr": "0x7fef2400000",
+ "basename": "dssenh.dll",
+ "filepath": "C:\\Windows\\system32\\dssenh.dll",
+ "imgsize": 204800
+ },
+ {
+ "baseaddr": "0x7fefc780000",
+ "basename": "GPAPI.dll",
+ "filepath": "C:\\Windows\\system32\\GPAPI.dll",
+ "imgsize": 110592
+ },
+ {
+ "baseaddr": "0x74540000",
+ "basename": "monitor-x64.dll",
+ "filepath": "C:\\tmpcaygsr\\bin\\monitor-x64.dll",
+ "imgsize": 2269184
+ }
+ ],
+ "pid": 500,
+ "ppid": 384,
+ "process_name": "lsass.exe",
+ "process_path": "C:\\Windows\\System32\\lsass.exe",
+ "tid": 1380,
+ "time": 0,
+ "track": false,
+ "type": "process"
+ },
+ {
+ "calls": [
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "KERNEL32",
+ "flags": 0,
+ "module_address": "0x757c0000",
+ "module_name": "KERNEL32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1454",
+ "function_name": "InterlockedCompareExchange",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1432",
+ "function_name": "InterlockedExchange",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d11f8",
+ "function_name": "GetCurrentProcessId",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d11c0",
+ "function_name": "GetLastError",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d10ff",
+ "function_name": "Sleep",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1245",
+ "function_name": "GetModuleHandleA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d4977",
+ "function_name": "LoadLibraryA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1222",
+ "function_name": "GetProcAddress",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d17d9",
+ "function_name": "GetCurrentProcess",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1420",
+ "function_name": "GetCurrentThreadId",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d110c",
+ "function_name": "GetTickCount",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d8769",
+ "function_name": "SetUnhandledExceptionFilter",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d3468",
+ "function_name": "FreeLibrary",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d16f5",
+ "function_name": "QueryPerformanceCounter",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757f770f",
+ "function_name": "UnhandledExceptionFilter",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757ed7ea",
+ "function_name": "TerminateProcess",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d0e00",
+ "function_name": "GetStartupInfoA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757fd1f3",
+ "function_name": "RtlUnwind",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757fb2af",
+ "function_name": "OutputDebugStringA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d34a9",
+ "function_name": "GetSystemTimeAsFileTime",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "msvcrt",
+ "flags": 0,
+ "module_address": "0x75b60000",
+ "module_name": "msvcrt.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6db38",
+ "function_name": "_stricmp",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6de4a",
+ "function_name": "strstr",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b69894",
+ "function_name": "free",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6b10d",
+ "function_name": "realloc",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b69cee",
+ "function_name": "malloc",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b714e3",
+ "function_name": "??1exception@@UAE@XZ",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b714f9",
+ "function_name": "??0exception@@QAE@XZ",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bb56cd",
+ "function_name": "??0exception@@QAE@ABV0@@Z",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b7132e",
+ "function_name": "_beginthreadex",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b83557",
+ "function_name": "_CxxThrowException",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bbbf99",
+ "function_name": "_callnewh",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6f607",
+ "function_name": "_ismbblead",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b69790",
+ "function_name": "memset",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b69910",
+ "function_name": "memcpy",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6a42d",
+ "function_name": "_unlock",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6f509",
+ "function_name": "__dllonexit",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6a449",
+ "function_name": "_lock",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b7112d",
+ "function_name": "_onexit",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bb92bb",
+ "function_name": "??1type_info@@UAE@XZ",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bb61d7",
+ "function_name": "?terminate@@YAXXZ",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b72bc0",
+ "function_name": "__getmainargs",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b737d4",
+ "function_name": "_cexit",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bcb2e0",
+ "function_name": "_exit",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b8dc75",
+ "function_name": "_XcptFilter",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75c004d8",
+ "function_name": "_acmdln",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6c151",
+ "function_name": "_initterm",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bcb30f",
+ "function_name": "_amsg_exit",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bf77dd",
+ "function_name": "__setusermatherr",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b727c3",
+ "function_name": "__p__commode",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b727ce",
+ "function_name": "__p__fmode",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b72804",
+ "function_name": "__set_app_type",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6f76e",
+ "function_name": "isleadbyte",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75c02900",
+ "function_name": "_iob",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b8fa7c",
+ "function_name": "_snprintf",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b84218",
+ "function_name": "_itoa",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bb22bf",
+ "function_name": "wctomb",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6e1e1",
+ "function_name": "_controlfp",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75c03210",
+ "function_name": "__badioinfo",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75c00500",
+ "function_name": "__pioinfo",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6ac15",
+ "function_name": "_fileno",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b74303",
+ "function_name": "_lseeki64",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b74078",
+ "function_name": "_write",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6f383",
+ "function_name": "_isatty",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b7ca0b",
+ "function_name": "_strlwr",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6a5b8",
+ "function_name": "_errno",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b83495",
+ "function_name": "__CxxFrameHandler",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b736aa",
+ "function_name": "exit",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bb57a5",
+ "function_name": "?what@exception@@UBEPBDXZ",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x003c0000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x003c0000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 2,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READONLY" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "SetUnhandledExceptionFilter",
+ "arguments": {},
+ "category": "exception",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741515,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x00000000",
+ "module_name": "advapi32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741515,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x00000000",
+ "module_name": "advapi32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741515,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "GetSystemInfo",
+ "arguments": { "processor_count": 2 },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "NtCreateMutant",
+ "arguments": {
+ "desired_access": "0x001f0001",
+ "initial_owner": 0,
+ "mutant_handle": "0x00000040",
+ "mutant_name": ""
+ },
+ "category": "synchronisation",
+ "flags": {
+ "desired_access": "STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "NtCreateMutant",
+ "arguments": {
+ "desired_access": "0x001f0001",
+ "initial_owner": 0,
+ "mutant_handle": "0x00000044",
+ "mutant_name": ""
+ },
+ "category": "synchronisation",
+ "flags": {
+ "desired_access": "STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000048",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Diagnostics"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "advapi32",
+ "flags": 0,
+ "module_address": "0x75e10000",
+ "module_name": "advapi32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e19159",
+ "function_name": "CryptAcquireContextA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e1e0a4",
+ "function_name": "CryptReleaseContext",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e1dece",
+ "function_name": "CryptCreateHash",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e1deb6",
+ "function_name": "CryptHashData",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e1defe",
+ "function_name": "CryptGetHashParam",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e1dee6",
+ "function_name": "CryptDestroyHash",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "CRYPTSP",
+ "flags": 0,
+ "module_address": "0x742d0000",
+ "module_name": "CRYPTSP.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x742d4a53",
+ "function_name": "CryptAcquireContextA",
+ "module": "CRYPTSP",
+ "module_address": "0x742d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.583626
+ },
+ {
+ "api": "CryptAcquireContextA",
+ "arguments": {
+ "container": "",
+ "crypto_handle": "0x006f6cf0",
+ "flags": 4026531904,
+ "provider": "",
+ "provider_type": 1
+ },
+ "category": "crypto",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x757c0000",
+ "module_name": "Kernel32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d13e0",
+ "function_name": "CloseHandle",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d5366",
+ "function_name": "CreateFileA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d4c0b",
+ "function_name": "CreateMutexA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757f733f",
+ "function_name": "CreateToolhelp32Snapshot",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d31cf",
+ "function_name": "DeviceIoControl",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d17bc",
+ "function_name": "GetCurrentThread",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75854aff",
+ "function_name": "GetLongPathNameA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1481",
+ "function_name": "GetModuleFileNameA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757e107d",
+ "function_name": "GetNativeSystemInfo",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d14b9",
+ "function_name": "GetProcessHeap",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d496a",
+ "function_name": "GetSystemInfo",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757f79b4",
+ "function_name": "GetThreadContext",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x779ee0c6",
+ "function_name": "HeapAlloc",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1499",
+ "function_name": "HeapFree",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x779fc7ac",
+ "function_name": "HeapReAlloc",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757fd0a5",
+ "function_name": "IsBadReadPtr",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75856459",
+ "function_name": "Module32First",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75856542",
+ "function_name": "Module32Next",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d111e",
+ "function_name": "ReleaseMutex",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1ad0",
+ "function_name": "SetErrorMode",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1826",
+ "function_name": "VirtualAlloc",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d183e",
+ "function_name": "VirtualFree",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d42ff",
+ "function_name": "VirtualProtect",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1136",
+ "function_name": "WaitForSingleObject",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1956",
+ "function_name": "OpenProcess",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x75e10000",
+ "module_name": "Advapi32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e24036",
+ "function_name": "AllocateAndInitializeSid",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e1de84",
+ "function_name": "CheckTokenMembership",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e2407e",
+ "function_name": "FreeSid",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e245ed",
+ "function_name": "RegCloseKey",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e2485b",
+ "function_name": "RegOpenKeyExA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e24843",
+ "function_name": "RegQueryValueExA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e240de",
+ "function_name": "AdjustTokenPrivileges",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e235e4",
+ "function_name": "CloseServiceHandle",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e23f9a",
+ "function_name": "LookupPrivilegeValueA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e24254",
+ "function_name": "OpenProcessToken",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e22b20",
+ "function_name": "OpenSCManagerA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e22b38",
+ "function_name": "OpenServiceA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e1790c",
+ "function_name": "QueryServiceStatusEx",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x00000000",
+ "module_name": "Shell32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741700,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x00000000",
+ "module_name": "Shell32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741700,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtQuerySystemInformation",
+ "arguments": { "information_class": 0 },
+ "category": "system",
+ "flags": { "information_class": "SystemBasicInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x77ac1000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 2,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READONLY" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x773a0000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x773a0000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 32,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_EXECUTE_READ" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "GetSystemDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows\\system32" },
+ "category": "file",
+ "flags": {},
+ "return_value": 19,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x00000000",
+ "module_name": "C:\\Windows\\system32\\IMM32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 126,
+ "nt_status": -1073741515,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x00000000",
+ "module_name": "C:\\Windows\\system32\\IMM32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 126,
+ "nt_status": -1073741515,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "IMM32",
+ "flags": 0,
+ "module_address": "0x75f10000",
+ "module_name": "C:\\Windows\\system32\\IMM32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "GetSystemDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows\\system32" },
+ "category": "file",
+ "flags": {},
+ "return_value": 19,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x75f10000",
+ "module_name": "C:\\Windows\\system32\\IMM32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000054",
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000054",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 126,
+ "nt_status": -1073741515,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000054" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x75a30000",
+ "module_name": "LPK.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75a348a0",
+ "function_name": "LpkTabbedTextOut",
+ "module": "LPK",
+ "module_address": "0x75a30000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75a31430",
+ "function_name": "LpkPSMTextOut",
+ "module": "LPK",
+ "module_address": "0x75a30000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75a313d0",
+ "function_name": "LpkDrawTextEx",
+ "module": "LPK",
+ "module_address": "0x75a30000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75a37000",
+ "function_name": "LpkEditControl",
+ "module": "LPK",
+ "module_address": "0x75a30000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000006c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000068" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000068",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000068",
+ "key_name": "",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
+ "value": 0
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_DWORD"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000068" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "gdi32",
+ "flags": 0,
+ "module_address": "0x76e10000",
+ "module_name": "gdi32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x76e29ea8",
+ "function_name": "GetCharABCWidthsI",
+ "module": "GDI32",
+ "module_address": "0x76e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "Shell32",
+ "flags": 0,
+ "module_address": "0x76050000",
+ "module_name": "Shell32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x762986f5",
+ "function_name": "ShellExecuteExA",
+ "module": "Shell32",
+ "module_address": "0x76050000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x77390000",
+ "module_name": "User32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x773afffe",
+ "function_name": "FindWindowA",
+ "module": "USER32",
+ "module_address": "0x77390000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x773e9114",
+ "function_name": "SwitchToThisWindow",
+ "module": "USER32",
+ "module_address": "0x77390000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x773ad23e",
+ "function_name": "CreateWindowExA",
+ "module": "USER32",
+ "module_address": "0x77390000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x773a9a55",
+ "function_name": "DestroyWindow",
+ "module": "USER32",
+ "module_address": "0x77390000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x773a7bbb",
+ "function_name": "DispatchMessageA",
+ "module": "USER32",
+ "module_address": "0x77390000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x773a7bd3",
+ "function_name": "GetMessageA",
+ "module": "USER32",
+ "module_address": "0x77390000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x773a7d2f",
+ "function_name": "GetSystemMetrics",
+ "module": "USER32",
+ "module_address": "0x77390000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x773b9045",
+ "function_name": "LoadImageA",
+ "module": "USER32",
+ "module_address": "0x77390000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x773b71fe",
+ "function_name": "SendMessageA",
+ "module": "USER32",
+ "module_address": "0x77390000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x773a79fb",
+ "function_name": "SetTimer",
+ "module": "USER32",
+ "module_address": "0x77390000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x773b86de",
+ "function_name": "SetWindowTextA",
+ "module": "USER32",
+ "module_address": "0x77390000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x773b0e13",
+ "function_name": "ShowWindow",
+ "module": "USER32",
+ "module_address": "0x77390000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x773a7809",
+ "function_name": "TranslateMessage",
+ "module": "USER32",
+ "module_address": "0x77390000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x00000000",
+ "module_name": "Ole32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 5,
+ "nt_status": 0,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x00000000",
+ "module_name": "Ole32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 5,
+ "nt_status": 0,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000084",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000084",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 126,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000084" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000084",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000084",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 126,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000084" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "GetSystemInfo",
+ "arguments": { "processor_count": 2 },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x774d0000",
+ "module_name": "rpcrt4.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x774f009e",
+ "function_name": "I_RpcInitNdrImports",
+ "module": "RPCRT4",
+ "module_address": "0x774d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "NtOpenDirectoryObject",
+ "arguments": {
+ "desired_access": "0x0000000f",
+ "directory_handle": "0x000000a0",
+ "dirpath": "\\Sessions\\1\\BaseNamedObjects",
+ "dirpath_r": "\\Sessions\\1\\BaseNamedObjects"
+ },
+ "category": "file",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "Ole32",
+ "flags": 0,
+ "module_address": "0x758d0000",
+ "module_name": "Ole32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75919c5b",
+ "function_name": "CoCreateInstance",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x7591097d",
+ "function_name": "CoInitializeEx",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x758f355b",
+ "function_name": "CreateStreamOnHGlobal",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943648.599626
+ },
+ {
+ "api": "LookupPrivilegeValueW",
+ "arguments": {
+ "privilege_name": "SeDebugPrivilege",
+ "system_name": ""
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000a4" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x779c0000",
+ "module_name": "ntdll.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x77a6cd42",
+ "function_name": "CsrGetProcessId",
+ "module": "ntdll",
+ "module_address": "0x779c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "NtOpenProcess",
+ "arguments": {
+ "desired_access": "0x001fffff",
+ "process_handle": "0x00000000",
+ "process_identifier": 408
+ },
+ "category": "process",
+ "flags": {
+ "desired_access": "STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|SPECIFIC_RIGHTS_ALL"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225506,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "SetErrorMode",
+ "arguments": { "mode": 2 },
+ "category": "system",
+ "flags": { "mode": "SEM_NOGPFAULTERRORBOX" },
+ "return_value": 32775,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "SetUnhandledExceptionFilter",
+ "arguments": {},
+ "category": "exception",
+ "flags": {},
+ "return_value": 3980002,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "OpenSCManagerA",
+ "arguments": {
+ "database_name": "",
+ "desired_access": 2147483648,
+ "machine_name": ""
+ },
+ "category": "services",
+ "flags": {},
+ "return_value": 7204000,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "OpenServiceA",
+ "arguments": {
+ "desired_access": 4,
+ "service_handle": "0x00000000",
+ "service_manager_handle": "0x006deca0",
+ "service_name": "WindowsClientServerRunTimeSubsystem"
+ },
+ "category": "services",
+ "flags": {},
+ "last_error": 1060,
+ "nt_status": -1073741790,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000f8" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000fc" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "CreateThread",
+ "arguments": {
+ "flags": 0,
+ "function_address": "0x75b712e5",
+ "parameter": "0x00922640",
+ "stack_size": 0,
+ "thread_identifier": 2628
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 252,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "SetUnhandledExceptionFilter",
+ "arguments": {},
+ "category": "exception",
+ "flags": {},
+ "return_value": 3966816,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x00000001",
+ "base_handle": "0x80000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CLASSES_ROOT\\CLSID\\{D27CDB6E-AE6D-11cf-96B8-444553540000}",
+ "regkey_r": "CLSID\\{D27CDB6E-AE6D-11cf-96B8-444553540000}"
+ },
+ "category": "registry",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2628,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "__exception__",
+ "arguments": {
+ "exception": {
+ "address": "0x3c100d",
+ "exception_code": "0xc0000094",
+ "instruction": "div eax",
+ "instruction_r": "f7 f0 e8 9c 05 00 00 85 c0 74 06 b8 0a 00 00 00",
+ "module": "Win32.DarkTequila.exe",
+ "offset": 4109,
+ "symbol": "win32+0x100d"
+ },
+ "registers": {
+ "eax": 0,
+ "ebp": 2752212,
+ "ebx": 0,
+ "ecx": 3503292416,
+ "edi": 1971160937,
+ "edx": 2130566132,
+ "esi": 7155388,
+ "esp": 2751908
+ },
+ "stacktrace": [
+ "win32+0x8b60 @ 0x3c8b60",
+ "win32+0xa83f @ 0x3ca83f",
+ "BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a",
+ "RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2",
+ "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"
+ ]
+ },
+ "category": "__notification__",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "SetUnhandledExceptionFilter",
+ "arguments": {},
+ "category": "exception",
+ "flags": {},
+ "return_value": 3937488,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "__exception__",
+ "arguments": {
+ "exception": {
+ "address": "0x3c1602",
+ "exception_code": "0xc0000096",
+ "instruction": "in eax, dx",
+ "instruction_r": "ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45",
+ "module": "Win32.DarkTequila.exe",
+ "offset": 5634,
+ "symbol": "win32+0x1602"
+ },
+ "registers": {
+ "eax": 1447909480,
+ "ebp": 2751900,
+ "ebx": 0,
+ "ecx": 10,
+ "edi": 1971160937,
+ "edx": 22104,
+ "esi": 7155388,
+ "esp": 2751844
+ },
+ "stacktrace": [
+ "win32+0x1014 @ 0x3c1014",
+ "win32+0x8b60 @ 0x3c8b60",
+ "win32+0xa83f @ 0x3ca83f",
+ "BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a",
+ "RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2",
+ "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"
+ ]
+ },
+ "category": "__notification__",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "__exception__",
+ "arguments": {
+ "exception": {
+ "address": "0x3c1546",
+ "exception_code": "0xc000001d",
+ "instruction_r": "0f 3f 07 0b 85 db 0f 94 45 e7 5b eb 38 8b 45 ec",
+ "module": "Win32.DarkTequila.exe",
+ "offset": 5446,
+ "symbol": "win32+0x1546"
+ },
+ "registers": {
+ "eax": 1,
+ "ebp": 2751900,
+ "ebx": 0,
+ "ecx": 2028644408,
+ "edi": 1971160937,
+ "edx": 0,
+ "esi": 7155388,
+ "esp": 2751844
+ },
+ "stacktrace": [
+ "win32+0x1023 @ 0x3c1023",
+ "win32+0x8b60 @ 0x3c8b60",
+ "win32+0xa83f @ 0x3ca83f",
+ "BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a",
+ "RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2",
+ "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"
+ ]
+ },
+ "category": "__notification__",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "ole32",
+ "flags": 0,
+ "module_address": "0x758d0000",
+ "module_name": "ole32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x757c0000",
+ "module_name": "kernel32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757f9796",
+ "function_name": "GetSystemWindowsDirectoryA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "GetSystemWindowsDirectoryA",
+ "arguments": { "dirpath": "\u0000GetSystemW" },
+ "category": "file",
+ "flags": {},
+ "return_value": 11,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "GetSystemWindowsDirectoryA",
+ "arguments": { "dirpath": "C:\\Windows" },
+ "category": "file",
+ "flags": {},
+ "return_value": 10,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 96,
+ "desired_access": "0xc0100080",
+ "file_attributes": 128,
+ "file_handle": "0x00000114",
+ "filepath": "\\??\\c:",
+ "filepath_r": "\\??\\c:",
+ "share_access": 3,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE",
+ "file_attributes": "FILE_ATTRIBUTE_NORMAL",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_WRITE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "DeviceIoControl",
+ "arguments": {
+ "control_code": 2953344,
+ "device_handle": "0x00000114",
+ "input_buffer": "",
+ "output_buffer": "\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000"
+ },
+ "category": "file",
+ "flags": { "control_code": "IOCTL_STORAGE_GET_DEVICE_NUMBER" },
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000114" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x758eef0f",
+ "function_name": "OleInitialize",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 96,
+ "desired_access": "0xc0100080",
+ "file_attributes": 128,
+ "file_handle": "0x00000114",
+ "filepath": "\\??\\PhysicalDrive0",
+ "filepath_r": "\\??\\PhysicalDrive0",
+ "share_access": 3,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE",
+ "file_attributes": "FILE_ATTRIBUTE_NORMAL",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_WRITE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "DeviceIoControl",
+ "arguments": {
+ "control_code": 475264,
+ "device_handle": "0x00000114",
+ "input_buffer": "",
+ "output_buffer": ""
+ },
+ "category": "file",
+ "flags": { "control_code": "" },
+ "last_error": 1,
+ "nt_status": -1073741808,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000114" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "CreateToolhelp32Snapshot",
+ "arguments": { "flags": 8, "process_identifier": 2976 },
+ "category": "process",
+ "flags": {},
+ "return_value": 296,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32FirstW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "Module32NextW",
+ "arguments": { "snapshot_handle": "0x00000128" },
+ "category": "process",
+ "flags": {},
+ "last_error": 18,
+ "nt_status": -1073741808,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000128" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "FindWindowA",
+ "arguments": { "class_name": "OLLYDBG", "window_name": "" },
+ "category": "ui",
+ "flags": {},
+ "last_error": 18,
+ "nt_status": -1073741808,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "FindWindowA",
+ "arguments": {
+ "class_name": "WinDbgFrameClass",
+ "window_name": ""
+ },
+ "category": "ui",
+ "flags": {},
+ "last_error": 18,
+ "nt_status": -1073741808,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "FindWindowA",
+ "arguments": {
+ "class_name": "PROCMON_WINDOW_CLASS",
+ "window_name": ""
+ },
+ "category": "ui",
+ "flags": {},
+ "last_error": 18,
+ "nt_status": -1073741808,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "FindWindowA",
+ "arguments": { "class_name": "PROCEXPL", "window_name": "" },
+ "category": "ui",
+ "flags": {},
+ "last_error": 18,
+ "nt_status": -1073741808,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "wpcap",
+ "flags": 0,
+ "module_address": "0x00000000",
+ "module_name": "wpcap.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 18,
+ "nt_status": -1073741808,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00008000" },
+ "category": "system",
+ "flags": {},
+ "last_error": 126,
+ "nt_status": -1073741515,
+ "return_value": 3221225480,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "NtGetContextThread",
+ "arguments": { "thread_handle": "0xfffffffe" },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "GetSystemInfo",
+ "arguments": { "processor_count": 2 },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 12288,
+ "base_address": "0x00390000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 64,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT|MEM_RESERVE",
+ "protection": "PAGE_EXECUTE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x00390000",
+ "heap_dep_bypass": 1,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 320,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_EXECUTE_READWRITE|PAGE_GUARD" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x00390000",
+ "free_type": 32768,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 4096
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "__exception__",
+ "arguments": {
+ "exception": {
+ "address": "0x3c12ad",
+ "exception_code": "0x80000004",
+ "instruction": "mov dword ptr [ebp + 0xfffffffc], 0xfffffffe",
+ "instruction_r": "c7 45 fc fe ff ff ff b8 01 00 00 00 8b 4d f0 64",
+ "module": "Win32.DarkTequila.exe",
+ "offset": 4781,
+ "symbol": "win32+0x12ad"
+ },
+ "registers": {
+ "eax": 2751884,
+ "ebp": 2751900,
+ "ebx": 0,
+ "ecx": 2028644408,
+ "edi": 1971160937,
+ "edx": 2130566132,
+ "esi": 7155388,
+ "esp": 2751860
+ },
+ "stacktrace": [
+ "win32+0x108c @ 0x3c108c",
+ "win32+0x8b60 @ 0x3c8b60",
+ "win32+0xa83f @ 0x3ca83f",
+ "BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a",
+ "RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2",
+ "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"
+ ]
+ },
+ "category": "__notification__",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "OleInitialize",
+ "arguments": {},
+ "category": "ole",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x779c0000",
+ "module_name": "ntdll.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x779dfae8",
+ "function_name": "NtQueryInformationProcess",
+ "module": "ntdll",
+ "module_address": "0x779c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "ole32",
+ "flags": 0,
+ "module_address": "0x758d0000",
+ "module_name": "ole32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75916c74",
+ "function_name": "CreateBindCtx",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x7591e9fc",
+ "function_name": "CoTaskMemAlloc",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "__exception__",
+ "arguments": {
+ "exception": {
+ "address": "0x3c121d",
+ "exception_code": "0x80000003",
+ "instruction": "rol byte ptr [ebx + 0x45c702c0], -4",
+ "instruction_r": "c0 83 c0 02 c7 45 fc fe ff ff ff b8 01 00 00 00",
+ "module": "Win32.DarkTequila.exe",
+ "offset": 4637,
+ "symbol": "win32+0x121d"
+ },
+ "registers": {
+ "eax": 2751884,
+ "ebp": 2751900,
+ "ebx": 0,
+ "ecx": 2026067364,
+ "edi": 1971160937,
+ "edx": 844648,
+ "esi": 7155388,
+ "esp": 2751860
+ },
+ "stacktrace": [
+ "win32+0x10b9 @ 0x3c10b9",
+ "win32+0x8b60 @ 0x3c8b60",
+ "win32+0xa83f @ 0x3ca83f",
+ "BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a",
+ "RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2",
+ "RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"
+ ]
+ },
+ "category": "__notification__",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x006fc000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "GetSystemDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows\\system32" },
+ "category": "file",
+ "flags": {},
+ "return_value": 19,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": -1073741515,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 203,
+ "nt_status": -1073741568,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "ADVAPI32",
+ "flags": 0,
+ "module_address": "0x75e10000",
+ "module_name": "ADVAPI32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x77a028d7",
+ "function_name": "RegisterTraceGuidsW",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x75e10000",
+ "module_name": "advapi32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x77a027c9",
+ "function_name": "EventRegister",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x77a1919d",
+ "function_name": "EventUnregister",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x779f8848",
+ "function_name": "EventEnabled",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x77a196fd",
+ "function_name": "EventWrite",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "PROPSYS",
+ "flags": 0,
+ "module_address": "0x74190000",
+ "module_name": "PROPSYS.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x7419bf2c",
+ "function_name": "PSCreateMemoryPropertyStore",
+ "module": "PROPSYS",
+ "module_address": "0x74190000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x7419c9d6",
+ "function_name": "PSPropertyBag_WriteDWORD",
+ "module": "PROPSYS",
+ "module_address": "0x74190000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x779c0000",
+ "module_name": "ntdll.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75916495",
+ "function_name": "CoGetApartmentType",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x779df9bc",
+ "function_name": "NtSetInformationThread",
+ "module": "ntdll",
+ "module_address": "0x779c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x759175b0",
+ "function_name": "CoRegisterInitializeSpy",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x006fd000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "SetUnhandledExceptionFilter",
+ "arguments": {},
+ "category": "exception",
+ "flags": {},
+ "last_error": 6,
+ "nt_status": -1073741816,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000140",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x00000001",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000144",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select",
+ "regkey_r": "SYSTEM\\Select"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000140",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegQueryValueExA",
+ "arguments": {
+ "key_handle": "0x00000144",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current",
+ "regkey_r": "Current",
+ "value": 1
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_DWORD" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegQueryValueExA",
+ "arguments": {
+ "key_handle": "0x00000144",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\LastKnownGood",
+ "regkey_r": "LastKnownGood",
+ "value": 2
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_DWORD" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000144" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x00000001",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000144",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters",
+ "regkey_r": "SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000140" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegQueryValueExA",
+ "arguments": {
+ "key_handle": "0x00000144",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableBpc",
+ "regkey_r": "EnableBpc",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 6,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000144" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x00000001",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000144",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\Tcpip\\Parameters",
+ "regkey_r": "SYSTEM\\ControlSet002\\Services\\Tcpip\\Parameters"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegQueryValueExA",
+ "arguments": {
+ "key_handle": "0x00000144",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\Tcpip\\Parameters\\EnableBpc",
+ "regkey_r": "EnableBpc",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 6,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000144" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "GetNativeSystemInfo",
+ "arguments": { "processor_count": 2 },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x00000101",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000140",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography",
+ "regkey_r": "SOFTWARE\\Microsoft\\Cryptography"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000144",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegQueryValueExA",
+ "arguments": {
+ "key_handle": "0x00000140",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Cryptography\\MachineGuid",
+ "regkey_r": "MachineGuid",
+ "value": "3e8a2b26-09e3-46d4-9d82-040453578837"
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_SZ" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000140" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x742d5d1b",
+ "function_name": "CryptCreateHash",
+ "module": "CRYPTSP",
+ "module_address": "0x742d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "CryptCreateHash",
+ "arguments": {
+ "algorithm_identifier": "0x00008004",
+ "crypto_handle": "0x00000000",
+ "flags": 0,
+ "hash_handle": "0x006fd010",
+ "provider_handle": "0x006f6cf0"
+ },
+ "category": "crypto",
+ "flags": { "algorithm_identifier": "CALG_SHA1" },
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x742d5f62",
+ "function_name": "CryptHashData",
+ "module": "CRYPTSP",
+ "module_address": "0x742d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "CryptHashData",
+ "arguments": {
+ "buffer": "6401E9A2-4DC0-4622-A3A7-961BB3EF704B",
+ "flags": 0,
+ "hash_handle": "0x006fd010"
+ },
+ "category": "crypto",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "CryptHashData",
+ "arguments": {
+ "buffer": "3e8a2b26-09e3-46d4-9d82-040453578837",
+ "flags": 0,
+ "hash_handle": "0x006fd010"
+ },
+ "category": "crypto",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "CryptHashData",
+ "arguments": {
+ "buffer": "6401E9A2-4DC0-4622-A3A7-961BB3EF704B",
+ "flags": 0,
+ "hash_handle": "0x006fd010"
+ },
+ "category": "crypto",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x742d667c",
+ "function_name": "CryptGetHashParam",
+ "module": "CRYPTSP",
+ "module_address": "0x742d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x742d6135",
+ "function_name": "CryptDestroyHash",
+ "module": "CRYPTSP",
+ "module_address": "0x742d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtCreateMutant",
+ "arguments": {
+ "desired_access": "0x001f0001",
+ "initial_owner": 1,
+ "mutant_handle": "0x00000140",
+ "mutant_name": "Global\\F42B8ED47C41A7A135BDA00457587C507BC99875"
+ },
+ "category": "synchronisation",
+ "flags": {
+ "desired_access": "STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000144",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000144" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000144",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000144",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000144" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000144",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000144",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000144" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000144",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000144",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000144" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000009",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\Win32.DarkTequila.exe"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75926f61",
+ "function_name": "CoTaskMemFree",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "CreateActCtxW",
+ "arguments": {
+ "application_name": "",
+ "module_handle": "0x76050000",
+ "resource_name": ""
+ },
+ "category": "misc",
+ "flags": {},
+ "return_value": 7329276,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x006ff000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 8192,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "GetSystemWindowsDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows" },
+ "category": "file",
+ "flags": {},
+ "return_value": 10,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "CreateActCtxW",
+ "arguments": {
+ "application_name": "",
+ "module_handle": "0x00000000",
+ "resource_name": ""
+ },
+ "category": "misc",
+ "flags": {},
+ "return_value": 7331500,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x75a30000",
+ "module_name": "LPK",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75a37000",
+ "function_name": "LpkEditControl",
+ "module": "LPK",
+ "module_address": "0x75a30000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "comctl32",
+ "flags": 0,
+ "module_address": "0x73ff0000",
+ "module_name": "comctl32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "comctl32",
+ "flags": 0,
+ "module_address": "0x73ff0000",
+ "module_name": "comctl32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x7401e05d",
+ "function_name": "",
+ "module": "comctl32",
+ "module_address": "0x73ff0000",
+ "ordinal": 236
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "OLEAUT32",
+ "flags": 0,
+ "module_address": "0x75ac0000",
+ "module_name": "OLEAUT32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75ac3f8a",
+ "function_name": "",
+ "module": "OLEAUT32",
+ "module_address": "0x75ac0000",
+ "ordinal": 6
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x7591e9fc",
+ "function_name": "CoTaskMemAlloc",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x759161a9",
+ "function_name": "CoGetMalloc",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000158",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000158",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000158" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x7419c97f",
+ "function_name": "PSPropertyBag_ReadDWORD",
+ "module": "PROPSYS",
+ "module_address": "0x74190000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x7419ca28",
+ "function_name": "PSPropertyBag_ReadGUID",
+ "module": "PROPSYS",
+ "module_address": "0x74190000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x740211b9",
+ "function_name": "",
+ "module": "comctl32",
+ "module_address": "0x73ff0000",
+ "ordinal": 320
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x74021158",
+ "function_name": "",
+ "module": "comctl32",
+ "module_address": "0x73ff0000",
+ "ordinal": 324
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x740206f0",
+ "function_name": "",
+ "module": "comctl32",
+ "module_address": "0x73ff0000",
+ "ordinal": 323
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000158",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "ADVAPI32",
+ "flags": 0,
+ "module_address": "0x75e10000",
+ "module_name": "ADVAPI32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e243ab",
+ "function_name": "RegEnumKeyW",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 0,
+ "key_handle": "0x00000158",
+ "key_name": "{031E4825-7B94-4dc3-B131-E946B44C8DD5}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 1,
+ "key_handle": "0x00000158",
+ "key_name": "{04731B67-D933-450a-90E6-4ACD2E9408FE}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 2,
+ "key_handle": "0x00000158",
+ "key_name": "{11016101-E366-4D22-BC06-4ADA335C892B}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 3,
+ "key_handle": "0x00000158",
+ "key_name": "{26EE0668-A00A-44D7-9371-BEB064C98683}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 4,
+ "key_handle": "0x00000158",
+ "key_name": "{4336a54d-038b-4685-ab02-99bb52d3fb8b}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 5,
+ "key_handle": "0x00000158",
+ "key_name": "{450D8FBA-AD25-11D0-98A8-0800361B1103}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 6,
+ "key_handle": "0x00000158",
+ "key_name": "{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 7,
+ "key_handle": "0x00000158",
+ "key_name": "{59031a47-3f72-44a7-89c5-5595fe6b30ee}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 8,
+ "key_handle": "0x00000158",
+ "key_name": "{645FF040-5081-101B-9F08-00AA002F954E}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 9,
+ "key_handle": "0x00000158",
+ "key_name": "{89D83576-6BD1-4c86-9454-BEB04E94C819}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 10,
+ "key_handle": "0x00000158",
+ "key_name": "{9343812e-1c37-4a49-a12e-4b2d810d956b}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 11,
+ "key_handle": "0x00000158",
+ "key_name": "{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 12,
+ "key_handle": "0x00000158",
+ "key_name": "{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 13,
+ "key_handle": "0x00000158",
+ "key_name": "{daf95313-e44d-46af-be1b-cbacea2c3065}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 14,
+ "key_handle": "0x00000158",
+ "key_name": "{e345f35f-9397-435c-8f95-4e922c26259e}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 15,
+ "key_handle": "0x00000158",
+ "key_name": "{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 16,
+ "key_handle": "0x00000158",
+ "key_name": "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 17,
+ "key_handle": "0x00000158",
+ "key_name": "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -2147483622,
+ "return_value": 259,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000158" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 0,
+ "nt_status": -2147483622,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenProcess",
+ "arguments": {
+ "desired_access": "0x00000400",
+ "process_handle": "0x00000158",
+ "process_identifier": 2976
+ },
+ "category": "process",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000158" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "ADVAPI32",
+ "flags": 0,
+ "module_address": "0x75e10000",
+ "module_name": "ADVAPI32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e2427c",
+ "function_name": "OpenThreadToken",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000158",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace\\DelegateFolders"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000",
+ "information_class": 3,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00701000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.552626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u0000D\u00000\u00004\u0000F\u0000E\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00008\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000156" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75912208",
+ "function_name": "StringFromGUID2",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000",
+ "information_class": 3,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00002\u00000\u00008\u0000D\u00002\u0000C\u00006\u00000\u0000-\u00003\u0000A\u0000E\u0000A\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000D\u00007\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000156" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000",
+ "information_class": 3,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
+ "value": 36
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_DWORD"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000S\u0000h\u0000e\u0000l\u0000l\u0000F\u0000o\u0000l\u0000d\u0000e\u0000r\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000156" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 4,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
+ "value": 1048576
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_DWORD"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000",
+ "information_class": 3,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00d4\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000I\u0000n\u0000P\u0000r\u0000o\u0000c\u0000S\u0000e\u0000r\u0000v\u0000e\u0000r\u00003\u00002\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)",
+ "value": "C:\\Windows\\SysWOW64\\ieframe.dll"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00d4\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000W\u0000o\u0000w\u00006\u00004\u00003\u00002\u0000N\u0000o\u0000d\u0000e\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u00008\u00007\u00001\u0000C\u00005\u00003\u00008\u00000\u0000-\u00004\u00002\u0000A\u00000\u0000-\u00001\u00000\u00006\u00009\u0000-\u0000A\u00002\u0000E\u0000A\u0000-\u00000\u00008\u00000\u00000\u00002\u0000B\u00003\u00000\u00003\u00000\u00009\u0000D\u0000}\u0000\\\u0000I\u0000n\u0000P\u0000r\u0000o\u0000c\u0000S\u0000e\u0000r\u0000v\u0000e\u0000r\u00003\u00002\u0000",
+ "information_class": 3,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x00000156",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000156",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000156" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "apphelp",
+ "flags": 0,
+ "module_address": "0x73fa0000",
+ "module_name": "apphelp.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x73faa4cb",
+ "function_name": "ApphelpCheckShellObject",
+ "module": "apphelp",
+ "module_address": "0x73fa0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Option"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCompatibility"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppCompat"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x80000000",
+ "key_handle": "0x00000154",
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{871c5380-42a0-1069-a2ea-08002b30309d}\\InProcServer32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 1,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)",
+ "value": "C:\\Windows\\SysWOW64\\ieframe.dll"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValueFullInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x00000000",
+ "module_name": "ieframe.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtOpenFile",
+ "arguments": {
+ "desired_access": "0x00100081",
+ "file_handle": "0x00000154",
+ "filepath": "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "filepath_r": "\\??\\C:\\Windows\\SysWOW64\\ieframe.dll",
+ "open_options": 96,
+ "share_access": 5,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "desired_access": "FILE_READ_DATA|FILE_READ_ATTRIBUTES|FILE_LIST_DIRECTORY",
+ "open_options": "FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_DELETE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00702000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 96,
+ "desired_access": "0x80100080",
+ "file_attributes": 128,
+ "file_handle": "0x00000154",
+ "filepath": "C:\\Windows\\AppPatch\\sysmain.sdb",
+ "filepath_r": "\\SystemRoot\\AppPatch\\sysmain.sdb",
+ "share_access": 1,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "FILE_ATTRIBUTE_NORMAL",
+ "share_access": "FILE_SHARE_READ",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.568626
+ },
+ {
+ "api": "NtQueryInformationFile",
+ "arguments": {
+ "file_handle": "0x00000154",
+ "information_class": 5
+ },
+ "category": "file",
+ "flags": { "information_class": "FileStandardInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtCreateSection",
+ "arguments": {
+ "desired_access": "0x00000005",
+ "file_handle": "0x00000154",
+ "object_handle": "0x00000000",
+ "protection": 2,
+ "section_handle": "0x0000015c",
+ "section_name": ""
+ },
+ "category": "process",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtMapViewOfSection",
+ "arguments": {
+ "allocation_type": 0,
+ "base_address": "0x02760000",
+ "buffer": "",
+ "commit_size": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "section_handle": "0x0000015c",
+ "section_offset": 0,
+ "view_size": 4083712,
+ "win32_protect": 2
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "",
+ "win32_protect": "PAGE_READONLY"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryInformationFile",
+ "arguments": {
+ "file_handle": "0x00000154",
+ "information_class": 5
+ },
+ "category": "file",
+ "flags": { "information_class": "FileStandardInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x779c0000",
+ "module_name": "ntdll.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "SetErrorMode",
+ "arguments": { "mode": 32769 },
+ "category": "system",
+ "flags": {
+ "mode": "SEM_FAILCRITICALERRORS|SEM_NOOPENFILEERRORBOX"
+ },
+ "return_value": 6,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtOpenFile",
+ "arguments": {
+ "desired_access": "0x00100001",
+ "file_handle": "0x00000160",
+ "filepath": "C:\\Windows\\SysWOW64\\",
+ "filepath_r": "\\??\\C:\\Windows\\SysWOW64\\",
+ "open_options": 16417,
+ "share_access": 3,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "desired_access": "FILE_READ_DATA|FILE_LIST_DIRECTORY",
+ "open_options": "FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_WRITE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "SetErrorMode",
+ "arguments": { "mode": 32769 },
+ "category": "system",
+ "flags": {
+ "mode": "SEM_FAILCRITICALERRORS|SEM_NOOPENFILEERRORBOX"
+ },
+ "return_value": 32773,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "GetFileAttributesW",
+ "arguments": {
+ "file_attributes": 32,
+ "filepath": "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "filepath_r": "C:\\Windows\\SysWOW64\\ieframe.dll"
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 32,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "FindFirstFileExW",
+ "arguments": {
+ "filepath": "C:\\Windows",
+ "filepath_r": "C:\\Windows"
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 7331824,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "FindFirstFileExW",
+ "arguments": {
+ "filepath": "C:\\Windows\\SysWOW64",
+ "filepath_r": "C:\\Windows\\SysWOW64"
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 7331824,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "FindFirstFileExW",
+ "arguments": {
+ "filepath": "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "filepath_r": "C:\\Windows\\SysWOW64\\ieframe.dll"
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 7331824,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "SetErrorMode",
+ "arguments": { "mode": 32773 },
+ "category": "system",
+ "flags": {
+ "mode": "SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX"
+ },
+ "return_value": 32773,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000160",
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 1,
+ "key_handle": "0x00000160",
+ "key_name": "Cache",
+ "reg_type": 1,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache",
+ "value": "C:\\Users\\mes-vms\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValueFullInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x80000100",
+ "key_handle": "0x00000000",
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x80000100",
+ "key_handle": "0x00000000",
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x80000100",
+ "key_handle": "0x00000000",
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\ieframe.dll"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00703000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 8192,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "FindFirstFileExW",
+ "arguments": {
+ "filepath": "C:\\Windows\\SysWOW64\\*.*",
+ "filepath_r": "C:\\Windows\\SysWOW64\\*.*"
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 7331824,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00705000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 8192,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00707000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00708000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00709000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0070c000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0070d000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0070e000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00710000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00711000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00712000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00713000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00714000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00715000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00716000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00717000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00718000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00719000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0071a000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0071d000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0071e000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0071f000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00720000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00721000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00722000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00724000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 8192,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryDirectoryFile",
+ "arguments": {
+ "dirpath": "C:\\Windows\\SysWOW64",
+ "file_handle": "0x00000160",
+ "information_class": 3
+ },
+ "category": "file",
+ "flags": { "information_class": "FileBothDirectoryInformation" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": 2147483654,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "SetErrorMode",
+ "arguments": { "mode": 1 },
+ "category": "system",
+ "flags": { "mode": "SEM_FAILCRITICALERRORS" },
+ "return_value": 32773,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtQueryAttributesFile",
+ "arguments": {
+ "filepath": "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "filepath_r": "\\??\\C:\\Windows\\SysWOW64\\ieframe.dll"
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.583626
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 96,
+ "desired_access": "0x80100080",
+ "file_attributes": 0,
+ "file_handle": "0x00000160",
+ "filepath": "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "filepath_r": "\\??\\C:\\Windows\\SysWOW64\\ieframe.dll",
+ "share_access": 5,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_DELETE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtCreateSection",
+ "arguments": {
+ "desired_access": "0x00000007",
+ "file_handle": "0x00000160",
+ "object_handle": "0x00000000",
+ "protection": 2,
+ "section_handle": "0x00000164",
+ "section_name": ""
+ },
+ "category": "process",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtMapViewOfSection",
+ "arguments": {
+ "allocation_type": 0,
+ "base_address": "0x71cb0000",
+ "buffer": "",
+ "commit_size": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "section_handle": "0x00000164",
+ "section_offset": 0,
+ "view_size": 13701120,
+ "win32_protect": 4
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "",
+ "win32_protect": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000164" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "SetErrorMode",
+ "arguments": { "mode": 32773 },
+ "category": "system",
+ "flags": {
+ "mode": "SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX"
+ },
+ "return_value": 5,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000160",
+ "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CMF\\Config"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000160",
+ "key_name": "",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CMF\\Config\\SYSTEM",
+ "value": 0
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_DWORD"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 0,
+ "desired_access": "0x80100080",
+ "file_attributes": 0,
+ "file_handle": "0x00000160",
+ "filepath": "C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui",
+ "filepath_r": "\\??\\C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui",
+ "share_access": 5,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_DELETE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtCreateSection",
+ "arguments": {
+ "desired_access": "0x000f0005",
+ "file_handle": "0x00000160",
+ "object_handle": "0x00000000",
+ "protection": 8,
+ "section_handle": "0x00000164",
+ "section_name": ""
+ },
+ "category": "process",
+ "flags": {
+ "desired_access": "STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtMapViewOfSection",
+ "arguments": {
+ "allocation_type": 0,
+ "base_address": "0x02b50000",
+ "buffer": "",
+ "commit_size": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "section_handle": "0x00000164",
+ "section_offset": 0,
+ "view_size": 1900544,
+ "win32_protect": 8
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "",
+ "win32_protect": "PAGE_WRITECOPY"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000164" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x02b50000",
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "region_size": 1900544
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x71cb0000",
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "region_size": 4096
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "SetErrorMode",
+ "arguments": { "mode": 1 },
+ "category": "system",
+ "flags": { "mode": "SEM_FAILCRITICALERRORS" },
+ "return_value": 32773,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00726000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtQueryAttributesFile",
+ "arguments": {
+ "filepath": "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "filepath_r": "\\??\\C:\\Windows\\SysWOW64\\ieframe.dll"
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 96,
+ "desired_access": "0x80100080",
+ "file_attributes": 0,
+ "file_handle": "0x00000160",
+ "filepath": "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "filepath_r": "\\??\\C:\\Windows\\SysWOW64\\ieframe.dll",
+ "share_access": 5,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_DELETE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtCreateSection",
+ "arguments": {
+ "desired_access": "0x00000007",
+ "file_handle": "0x00000160",
+ "object_handle": "0x00000000",
+ "protection": 2,
+ "section_handle": "0x00000164",
+ "section_name": ""
+ },
+ "category": "process",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtMapViewOfSection",
+ "arguments": {
+ "allocation_type": 0,
+ "base_address": "0x729d0000",
+ "buffer": "",
+ "commit_size": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "section_handle": "0x00000164",
+ "section_offset": 0,
+ "view_size": 13701120,
+ "win32_protect": 4
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "",
+ "win32_protect": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000164" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "SetErrorMode",
+ "arguments": { "mode": 32773 },
+ "category": "system",
+ "flags": {
+ "mode": "SEM_FAILCRITICALERRORS|SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOOPENFILEERRORBOX"
+ },
+ "return_value": 5,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 0,
+ "desired_access": "0x80100080",
+ "file_attributes": 0,
+ "file_handle": "0x00000160",
+ "filepath": "C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui",
+ "filepath_r": "\\??\\C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui",
+ "share_access": 5,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_DELETE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtCreateSection",
+ "arguments": {
+ "desired_access": "0x000f0005",
+ "file_handle": "0x00000160",
+ "object_handle": "0x00000000",
+ "protection": 8,
+ "section_handle": "0x00000164",
+ "section_name": ""
+ },
+ "category": "process",
+ "flags": {
+ "desired_access": "STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtMapViewOfSection",
+ "arguments": {
+ "allocation_type": 0,
+ "base_address": "0x02b50000",
+ "buffer": "",
+ "commit_size": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "section_handle": "0x00000164",
+ "section_offset": 0,
+ "view_size": 1900544,
+ "win32_protect": 8
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "",
+ "win32_protect": "PAGE_WRITECOPY"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000164" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x02b50000",
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "region_size": 1900544
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x729d0000",
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "region_size": 4096
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 96,
+ "desired_access": "0x80100080",
+ "file_attributes": 128,
+ "file_handle": "0x00000160",
+ "filepath": "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "filepath_r": "\\??\\C:\\Windows\\SysWOW64\\ieframe.dll",
+ "share_access": 1,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "FILE_ATTRIBUTE_NORMAL",
+ "share_access": "FILE_SHARE_READ",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtQueryInformationFile",
+ "arguments": {
+ "file_handle": "0x00000160",
+ "information_class": 5
+ },
+ "category": "file",
+ "flags": { "information_class": "FileStandardInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtCreateSection",
+ "arguments": {
+ "desired_access": "0x00000005",
+ "file_handle": "0x00000160",
+ "object_handle": "0x00000000",
+ "protection": 2,
+ "section_handle": "0x00000164",
+ "section_name": ""
+ },
+ "category": "process",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtMapViewOfSection",
+ "arguments": {
+ "allocation_type": 0,
+ "base_address": "0x71cb0000",
+ "buffer": "",
+ "commit_size": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "section_handle": "0x00000164",
+ "section_offset": 0,
+ "view_size": 13701120,
+ "win32_protect": 2
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "",
+ "win32_protect": "PAGE_READONLY"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 96,
+ "desired_access": "0x80100080",
+ "file_attributes": 128,
+ "file_handle": "0x00000168",
+ "filepath": "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "filepath_r": "\\??\\C:\\Windows\\SysWOW64\\ieframe.dll",
+ "share_access": 1,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "FILE_ATTRIBUTE_NORMAL",
+ "share_access": "FILE_SHARE_READ",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "SetFilePointerEx",
+ "arguments": {
+ "file_handle": "0x00000168",
+ "move_method": 2,
+ "offset": 13679616
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x00000168",
+ "move_method": 2,
+ "offset": 4294966272
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 13678592,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "t2|2\u00842\u008c2\u00902\u00982\u009c2\u00a02\u00a42\u00a82\u00ac2\u00b02\u00b42\u00bc2\u00c02\u00c42\u00c82\u00cc2\u00d42\u00d82\u00e02\u00e42\u00e82\u00ec2\u00f42\u00f82\u00fc2\u00003\u00043\b3\f3\u00103\u00183\u001c3 3$3(3,3034383<3@3D3L3P3T3X3\\3`3d3h3l3p3t3x3|3\u00803\u00843\u00883\u008c3\u00903\u00943\u00983\u009c3\u00a03\u00a43\u00a83\u00ac3\u00b03\u00b43\u00b83\u00bc3\u00c03\u00c43\u00c83\u00cc3\u00d03\u00d43\u00d83\u00dc3\u00e03\u00e43\u00e83\u00ec3\u00f03\u00f43\u00f83\u00fc3\u00004\u00044\b4\f4\u00104\u00144\u00184\u001c4 4$4(4,4044484<4@4D4H4L4P4T4X4\\4`4d4h4l4p4t4x4|4\u00804\u00844\u00884\u008c4\u00904\u00944\u00984\u009c4\u00a04\u00a44\u00a84\u00ac4\u00b04\u00b84\u00bc4\u00c04\u00c44\u00c84\u00cc4\u00d04\u00d44\u00d84\u00dc4\u00e04\u00e84\u00ec4\u00f04\u00f44\u00f84\u00005\u00045\b5\f5\u00105\u00145\u00185\u001c5 5$5(5054585<5@5D5H5L5P5T5X5\\5`5d5h5l5p5t5x5|5\u00805\u00845\u00885\u008c5\u00905\u00945\u00985\u009c5\u00a05\u00a45\u00ac5\u00b05\u00b45\u00b85\u00bc5\u00c05\u00c45\u00c85\u00cc5\u00d05\u00d45\u00d85\u00dc5\u00e05\u00e45\u00e85\u00ec5\u00f05\u00f45\u00f85\u00fc5\u00006\u00046\b6\f6\u00106\u00146\u00186\u001c6 6$6(6,6064686<6@6D6H6L6P6T6X6\\6`6d6h6l6p6t6x6|6\u00806\u00846\u00886\u008c6\u00906\u00946\u00986\u009c6\u00a06\u00a46\u00a86\u00ac6\u00b06\u00b46\u00b86\u00bc6\u00c06\u00c46\u00c86\u00cc6\u00d46\u00dc6\u00e06\u00e86\u00ec6\u00f06\u00f46\u00f86\u00fc6\u00007\u00047\b7\f7\u00107\u00147\u00187\u001c7 7$7(7,7074787<7@7D7H7L7P7T7X7\\7`7d7h7l7p7t7x7|7\u00807\u00847\u00887\u008c7\u00907\u00947\u00987\u009c7\u00a07\u00a47\u00a87\u00ac7\u00b07\u00b47\u00b87\u00bc7\u00c07\u00c47\u00c87\u00cc7\u00d07\u00d47\u00d87\u00dc7\u00e07\u00e47\u00e87\u00ec7\u00f07\u00f47\u00f87\u00fc7\u00008\u00048\b8\f8\u00108\u00148\u00188\u001c8 8$8(8,8084888<8@8D8H8L8P8T8X8\\8`8d8h8l8p8t8x8|8\u00808\u00848\u00888\u008c8\u00948\u009c8\u00a08\u00a48\u00ac8\u00b48\u00b88\u00bc8\u00c08\u00c48\u00c88\u00cc8\u00d08\u00d48\u00dc8\u00e48\u00e88\u00ec8\u00f08\u00f48\u00f88\u00009\u00049\b9\f9\u00109\u00149\u00189\u001c9 9$9(9,9094989<9@9D9H9L9P9T9X9\\9`9d9h9l9p9t9|9\u00809\u00849\u00889\u008c9\u00909\u00949\u00989\u009c9\u00a09\u00a49\u00a89\u00b09\u00b49\u00bc9\u00c49\u00c89\u00d09\u00d89\u00dc9\u00e09\u00e89\u00ec9\u00f09\u00f49\u00f89\u00fc9\u0000:\u0004:\f:\u0010:\u0014:\u0018: :$:(:0:8:<:D:L:P:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
+ "file_handle": "0x00000168",
+ "length": 1024,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000168" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x71cb0000",
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "region_size": 4096
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000164" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x0070c000",
+ "free_type": 16384,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 12288
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x00708000",
+ "free_type": 16384,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 8192
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x00716000",
+ "free_type": 16384,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 8192
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x00712000",
+ "free_type": 16384,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 8192
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x0071e000",
+ "free_type": 16384,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 4096
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "SetErrorMode",
+ "arguments": { "mode": 6 },
+ "category": "system",
+ "flags": {
+ "mode": "SEM_NOALIGNMENTFAULTEXCEPT|SEM_NOGPFAULTERRORBOX"
+ },
+ "return_value": 32773,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 96,
+ "desired_access": "0x00100080",
+ "file_attributes": 128,
+ "file_handle": "0x00000160",
+ "filepath": "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "filepath_r": "\\??\\C:\\Windows\\SysWOW64\\ieframe.dll",
+ "share_access": 7,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "FILE_ATTRIBUTE_NORMAL",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x02760000",
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "region_size": 4083712
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0071e000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000",
+ "information_class": 3,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000156" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000154",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 3,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF",
+ "value": "\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00fba\u00f4\u0094wy\u00d3\u0001"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_BINARY"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x00020119",
+ "key_handle": "0x00000154",
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000154",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x00020119",
+ "key_handle": "0x0000015c",
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000015c",
+ "key_name": "",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPEnable",
+ "value": 1
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_DWORD"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000015c",
+ "key_name": "",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPSampledIn",
+ "value": 0
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_DWORD"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000154" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000015c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75919c5b",
+ "function_name": "CoCreateInstance",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.599626
+ },
+ {
+ "api": "CoCreateInstance",
+ "arguments": {
+ "class_context": 1025,
+ "clsid": "{871c5380-42a0-1069-a2ea-08002b30309d}",
+ "iid": "{000214e6-0000-0000-c000-000000000046}"
+ },
+ "category": "ole",
+ "flags": { "clsid": "Internet_Explorer", "iid": "IShellFolder" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{871C5380-42A0-1069-A2EA-08002B30309D}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": -1073741515,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00020019",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000194",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
+ "regkey_r": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x00000194",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
+ "regkey_r": "CreateUriCacheSize",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00020019",
+ "base_handle": "0x80000001",
+ "key_handle": "0x00000198",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
+ "regkey_r": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x00000198",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
+ "regkey_r": "CreateUriCacheSize",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00020019",
+ "base_handle": "0x80000001",
+ "key_handle": "0x0000019c",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
+ "regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x0000019c",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
+ "regkey_r": "CreateUriCacheSize",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00020019",
+ "base_handle": "0x80000002",
+ "key_handle": "0x000001a0",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
+ "regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001a0",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
+ "regkey_r": "CreateUriCacheSize",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x00000194",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
+ "regkey_r": "EnablePunycode",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x00000198",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
+ "regkey_r": "EnablePunycode",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x0000019c",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
+ "regkey_r": "EnablePunycode",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001a0",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
+ "regkey_r": "EnablePunycode",
+ "value": 1
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_DWORD" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x000001a4",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000001a4",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001a4" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00000001",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
+ "regkey_r": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"
+ },
+ "category": "registry",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00000001",
+ "base_handle": "0x80000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
+ "regkey_r": "Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl"
+ },
+ "category": "registry",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00000001",
+ "base_handle": "0x80000002",
+ "key_handle": "0x000001a4",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
+ "regkey_r": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00000001",
+ "base_handle": "0x80000001",
+ "key_handle": "0x000001a8",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
+ "regkey_r": "Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00000001",
+ "base_handle": "0x000001a8",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
+ "regkey_r": "FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562"
+ },
+ "category": "registry",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00000001",
+ "base_handle": "0x000001a4",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
+ "regkey_r": "FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562"
+ },
+ "category": "registry",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x757c0000",
+ "module_name": "KERNEL32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x779f407f",
+ "function_name": "AcquireSRWLockExclusive",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x779f4039",
+ "function_name": "ReleaseSRWLockExclusive",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "api-ms-win-downlevel-ole32-l1-1-0",
+ "flags": 0,
+ "module_address": "0x772e0000",
+ "module_name": "api-ms-win-downlevel-ole32-l1-1-0.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x7591e9fc",
+ "function_name": "CoTaskMemAlloc",
+ "module": "api-ms-win-downlevel-ole32-l1-1-0",
+ "module_address": "0x772e0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 8,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_WRITECOPY" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00926000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 16384,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 8192,
+ "base_address": "0x02760000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 1048576,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_RESERVE",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x02760000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 73728,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x757c0000",
+ "module_name": "KERNEL32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x779f407f",
+ "function_name": "AcquireSRWLockExclusive",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x779f4039",
+ "function_name": "ReleaseSRWLockExclusive",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "api-ms-win-downlevel-advapi32-l1-1-0",
+ "flags": 0,
+ "module_address": "0x76ca0000",
+ "module_name": "api-ms-win-downlevel-advapi32-l1-1-0.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x77a028d7",
+ "function_name": "RegisterTraceGuidsW",
+ "module": "api-ms-win-downlevel-advapi32-l1-1-0",
+ "module_address": "0x76ca0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 8,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_WRITECOPY" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e2427c",
+ "function_name": "OpenThreadToken",
+ "module": "api-ms-win-downlevel-advapi32-l1-1-0",
+ "module_address": "0x76ca0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e24254",
+ "function_name": "OpenProcessToken",
+ "module": "api-ms-win-downlevel-advapi32-l1-1-0",
+ "module_address": "0x76ca0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001c0" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e24036",
+ "function_name": "AllocateAndInitializeSid",
+ "module": "api-ms-win-downlevel-advapi32-l1-1-0",
+ "module_address": "0x76ca0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e1de84",
+ "function_name": "CheckTokenMembership",
+ "module": "api-ms-win-downlevel-advapi32-l1-1-0",
+ "module_address": "0x76ca0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001c0" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001c4" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e2407e",
+ "function_name": "FreeSid",
+ "module": "api-ms-win-downlevel-advapi32-l1-1-0",
+ "module_address": "0x76ca0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "GetNativeSystemInfo",
+ "arguments": { "processor_count": 2 },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0092a000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 24576,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x757c0000",
+ "module_name": "KERNEL32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x779f407f",
+ "function_name": "AcquireSRWLockExclusive",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x779f4039",
+ "function_name": "ReleaseSRWLockExclusive",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x756ef000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "ADVAPI32",
+ "flags": 0,
+ "module_address": "0x75e10000",
+ "module_name": "ADVAPI32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x77a28f8b",
+ "function_name": "RegisterTraceGuidsA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x756ef000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 8,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_WRITECOPY" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x756ef000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x77a9b11a",
+ "function_name": "EventSetInformation",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x756ef000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": -1073741700,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "urlmon",
+ "flags": 0,
+ "module_address": "0x75600000",
+ "module_name": "urlmon.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75624610",
+ "function_name": "IsValidURL",
+ "module": "urlmon",
+ "module_address": "0x75600000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtOpenProcess",
+ "arguments": {
+ "desired_access": "0x00000400",
+ "process_handle": "0x000001c8",
+ "process_identifier": 2976
+ },
+ "category": "process",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001c8" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001cc" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001cc" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtOpenProcess",
+ "arguments": {
+ "desired_access": "0x00000400",
+ "process_handle": "0x000001cc",
+ "process_identifier": 2976
+ },
+ "category": "process",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001cc" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001c8" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001c8" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "GlobalMemoryStatusEx",
+ "arguments": {},
+ "category": "system",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 0,
+ "desired_access": "0x00100080",
+ "file_attributes": 0,
+ "file_handle": "0x000001c8",
+ "filepath": "\\??\\C:",
+ "filepath_r": "\\??\\C:",
+ "share_access": 7,
+ "status_info": 0
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE",
+ "status_info": "FILE_SUPERSEDED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtDeviceIoControlFile",
+ "arguments": {
+ "control_code": 5636096,
+ "file_handle": "0x000001c8",
+ "input_buffer": "",
+ "output_buffer": "\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u00a0\u00f9\u0018\u0000\u0000\u0000"
+ },
+ "category": "file",
+ "flags": { "control_code": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001c8" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00020019",
+ "base_handle": "0x80000001",
+ "key_handle": "0x000001c8",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main",
+ "regkey_r": "Software\\Microsoft\\Internet Explorer\\Main"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001c8",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow",
+ "regkey_r": "FrameTabWindow",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00020019",
+ "base_handle": "0x80000002",
+ "key_handle": "0x000001cc",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main",
+ "regkey_r": "Software\\Microsoft\\Internet Explorer\\Main"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001cc",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameTabWindow",
+ "regkey_r": "FrameTabWindow",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001c8",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameMerging",
+ "regkey_r": "FrameMerging",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001cc",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameMerging",
+ "regkey_r": "FrameMerging",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001c8",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\SessionMerging",
+ "regkey_r": "SessionMerging",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001cc",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\SessionMerging",
+ "regkey_r": "SessionMerging",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001c8",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs",
+ "regkey_r": "AdminTabProcs",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001cc",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\AdminTabProcs",
+ "regkey_r": "AdminTabProcs",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001d0" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001d0" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00020019",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main",
+ "regkey_r": "Software\\Policies\\Microsoft\\Internet Explorer\\Main"
+ },
+ "category": "registry",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegOpenKeyExW",
+ "arguments": {
+ "access": "0x00020019",
+ "base_handle": "0x80000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main",
+ "regkey_r": "Software\\Policies\\Microsoft\\Internet Explorer\\Main"
+ },
+ "category": "registry",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001c8",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth",
+ "regkey_r": "TabProcGrowth",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001cc",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth",
+ "regkey_r": "TabProcGrowth",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001c8",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth",
+ "regkey_r": "TabProcGrowth",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x000001cc",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth",
+ "regkey_r": "TabProcGrowth",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "api-ms-win-downlevel-shlwapi-l2-1-0",
+ "flags": 0,
+ "module_address": "0x73f80000",
+ "module_name": "api-ms-win-downlevel-shlwapi-l2-1-0.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x7731a0b7",
+ "function_name": "SHStrDupW",
+ "module": "api-ms-win-downlevel-shlwapi-l2-1-0",
+ "module_address": "0x73f80000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75926f61",
+ "function_name": "CoTaskMemFree",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "PROPSYS",
+ "flags": 0,
+ "module_address": "0x74190000",
+ "module_name": "PROPSYS.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x7419bf2c",
+ "function_name": "PSCreateMemoryPropertyStore",
+ "module": "PROPSYS",
+ "module_address": "0x74190000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x741da581",
+ "function_name": "PSCreateAdapterFromPropertyStore",
+ "module": "PROPSYS",
+ "module_address": "0x74190000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "CoCreateInstance",
+ "arguments": {
+ "class_context": 1,
+ "clsid": "{76765b11-3f95-4af2-ac9d-ea55d8994f1a}",
+ "iid": "{00000000-0000-0000-c000-000000000046}"
+ },
+ "category": "ole",
+ "flags": {
+ "clsid": "Property_System_Both_Class_Factory",
+ "iid": "IID_IUnknown"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x00000000",
+ "module_name": "EXPLORER.EXE",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x00000000",
+ "module_name": "EXPLORER.EXE",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x741be0a5",
+ "function_name": "PropVariantToBSTR",
+ "module": "PROPSYS",
+ "module_address": "0x74190000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75913cb9",
+ "function_name": "PropVariantClear",
+ "module": "api-ms-win-downlevel-ole32-l1-1-0",
+ "module_address": "0x772e0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75926f61",
+ "function_name": "CoTaskMemFree",
+ "module": "api-ms-win-downlevel-ole32-l1-1-0",
+ "module_address": "0x772e0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x7731b141",
+ "function_name": "IUnknown_Set",
+ "module": "api-ms-win-downlevel-shlwapi-l2-1-0",
+ "module_address": "0x73f80000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x73046000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "LoadStringW",
+ "arguments": {
+ "id": 10240,
+ "module_handle": "0x729d0000",
+ "string": "Ou&vrir"
+ },
+ "category": "ui",
+ "flags": {},
+ "return_value": 7,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x760eb659",
+ "function_name": "",
+ "module": "Shell32",
+ "module_address": "0x76050000",
+ "ordinal": 102
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\http\\OpenWithProgids"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 0,
+ "nt_status": -1073741515,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000001d4",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x000001d8",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000001d8",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\Progid",
+ "value": "FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001d8" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001d4" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000",
+ "information_class": 3,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000001d4",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001d6" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u008a\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000",
+ "information_class": 3,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000fa",
+ "regkey": "HKEY_CURRENT_USER"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000001d4",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000",
+ "information_class": 3,
+ "key_handle": "0x000001d6",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000001d6",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\CurVer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x00000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes\\FirefoxURL-308046B0AF4A39CB\\CurVer"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000",
+ "information_class": 3,
+ "key_handle": "0x000001d6",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000001d6",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000001d8",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\(Default)"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001d6" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000",
+ "information_class": 3,
+ "key_handle": "0x000001da",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000001da",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000001d4",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\(Default)"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001da" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000",
+ "information_class": 3,
+ "key_handle": "0x000001d6",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000001d6",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000001d8",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000001d6",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000001da",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001da" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000",
+ "information_class": 3,
+ "key_handle": "0x000001d6",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000001d6",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000001d8",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000\\\u0000s\u0000h\u0000e\u0000l\u0000l\u0000",
+ "information_class": 3,
+ "key_handle": "0x000001da",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000001da",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000001dc",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000001da",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\(Default)",
+ "value": "open"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.646626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001de" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00ce\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000\\\u0000s\u0000h\u0000e\u0000l\u0000l\u0000",
+ "information_class": 3,
+ "key_handle": "0x000001da",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000001da",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000001dc",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00d8\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000\\\u0000s\u0000h\u0000e\u0000l\u0000l\u0000\\\u0000o\u0000p\u0000e\u0000n\u0000",
+ "information_class": 3,
+ "key_handle": "0x000001de",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000001de",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000001e0",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell\\open"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000001de",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000001e2",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001e2" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001da" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u00c2\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000U\u0000S\u0000E\u0000R\u0000\\\u0000S\u0000-\u00001\u0000-\u00005\u0000-\u00002\u00001\u0000-\u00002\u00004\u00008\u00001\u00005\u00000\u00009\u00005\u00008\u00009\u0000-\u00001\u00009\u00005\u00004\u00002\u00006\u00000\u00003\u00006\u00005\u0000-\u00002\u00008\u00003\u00004\u00007\u00003\u00007\u00006\u00007\u00007\u0000-\u00001\u00000\u00000\u00000\u0000_\u0000C\u0000L\u0000A\u0000S\u0000S\u0000E\u0000S\u0000\\\u0000F\u0000i\u0000r\u0000e\u0000f\u0000o\u0000x\u0000U\u0000R\u0000L\u0000-\u00003\u00000\u00008\u00000\u00004\u00006\u0000B\u00000\u0000A\u0000F\u00004\u0000A\u00003\u00009\u0000C\u0000B\u0000",
+ "information_class": 3,
+ "key_handle": "0x000001d6",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0004\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000001d6",
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000001d8",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\(Default)"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001d6" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001de" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetSystemWindowsDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows" },
+ "category": "file",
+ "flags": {},
+ "return_value": 10,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetSystemWindowsDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows" },
+ "category": "file",
+ "flags": {},
+ "return_value": 10,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetSystemWindowsDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows" },
+ "category": "file",
+ "flags": {},
+ "return_value": 10,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "LoadStringW",
+ "arguments": {
+ "id": 4,
+ "module_handle": "0x76ed0000",
+ "string": "M\u00e9moire insuffisante"
+ },
+ "category": "ui",
+ "flags": {},
+ "return_value": 20,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetSystemWindowsDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows" },
+ "category": "file",
+ "flags": {},
+ "return_value": 10,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetSystemDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows\\system32" },
+ "category": "file",
+ "flags": {},
+ "return_value": 19,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000020c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "API-MS-Win-Core-LocalRegistry-L1-1-0",
+ "flags": 0,
+ "module_address": "0x757c0000",
+ "module_name": "API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1eee",
+ "function_name": "RegQueryValueExW",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000020c",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Setup\\SourcePath",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000020c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000020c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000020c",
+ "key_name": "",
+ "reg_type": 2,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
+ "value": "%SystemRoot%\\inf"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_EXPAND_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000020c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtCreateMutant",
+ "arguments": {
+ "desired_access": "0x001f0001",
+ "initial_owner": 0,
+ "mutant_handle": "0x00000210",
+ "mutant_name": ""
+ },
+ "category": "synchronisation",
+ "flags": {
+ "desired_access": "STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtCreateMutant",
+ "arguments": {
+ "desired_access": "0x001f0001",
+ "initial_owner": 0,
+ "mutant_handle": "0x00000218",
+ "mutant_name": ""
+ },
+ "category": "synchronisation",
+ "flags": {
+ "desired_access": "STANDARD_RIGHTS_ALL|STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetNativeSystemInfo",
+ "arguments": { "processor_count": 2 },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetSystemWindowsDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows" },
+ "category": "file",
+ "flags": {},
+ "return_value": 10,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetSystemWindowsDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows" },
+ "category": "file",
+ "flags": {},
+ "return_value": 10,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000021c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "SETUPAPI",
+ "flags": 0,
+ "module_address": "0x76ed0000",
+ "module_name": "SETUPAPI.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x77075ff7",
+ "function_name": "CM_Get_Device_Interface_List_Size_ExW",
+ "module": "SETUPAPI",
+ "module_address": "0x76ed0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtDuplicateObject",
+ "arguments": {
+ "desired_access": "0x00000000",
+ "handle_attributes": 0,
+ "options": 2,
+ "source_handle": "0xfffffffe",
+ "source_process_handle": "0xffffffff",
+ "source_process_identifier": 2976,
+ "target_handle": "0x000001f0",
+ "target_process_handle": "0xffffffff",
+ "target_process_identifier": 2976
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00708000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 8192,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x77075480",
+ "function_name": "CM_Get_Device_Interface_List_ExW",
+ "module": "SETUPAPI",
+ "module_address": "0x76ed0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtDuplicateObject",
+ "arguments": {
+ "desired_access": "0x00000000",
+ "handle_attributes": 0,
+ "options": 2,
+ "source_handle": "0x00000220",
+ "source_process_handle": "0xffffffff",
+ "source_process_identifier": 2976,
+ "target_handle": "0x00000224",
+ "target_process_handle": "0xffffffff",
+ "target_process_identifier": 2976
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetVolumeNameForVolumeMountPointW",
+ "arguments": {
+ "volume_mount_point": "\\\\?\\IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#5&394c0ad3&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\",
+ "volume_name": "\\\\?\\Volume{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\"
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 1252,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000220" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000220",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000224" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 1252,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000224",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000220" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000224",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Data",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 2147483653,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000224",
+ "key_name": "",
+ "reg_type": 3,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Data",
+ "value": "\u0000\u0000\u0000\u0000\r\u00f0\u00ad\u00ba\u0001\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0001\u0000\u0000\u0080\u00bd\u00ad\u00db\u00ba\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00bd\u00ad\u00db\u00ba\u00bd\u00ad\u00db\u00ba\u00bd\u00ad\u00db\u00ba\u00bd\u00ad\u00db\u00ba\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000I\u0000D\u0000E\u0000#\u0000C\u0000d\u0000R\u0000o\u0000m\u0000V\u0000B\u0000O\u0000X\u0000_\u0000C\u0000D\u0000-\u0000R\u0000O\u0000M\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u0000_\u00001\u0000.\u00000\u0000_\u0000_\u0000_\u0000_\u0000_\u0000#\u00005\u0000&\u00003\u00009\u00004\u0000c\u00000\u0000a\u0000d\u00003\u0000&\u00000\u0000&\u00000\u0000.\u00000\u0000.\u00000\u0000#\u0000{\u00005\u00003\u0000f\u00005\u00006\u00003\u00000\u0000d\u0000-\u0000b\u00006\u0000b\u0000f\u0000-\u00001\u00001\u0000d\u00000\u0000-\u00009\u00004\u0000f\u00002\u0000-\u00000\u00000\u0000a\u00000\u0000c\u00009\u00001\u0000e\u0000f\u0000b\u00008\u0000b\u0000}\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000{\u00005\u00009\u00000\u00004\u0000e\u0000f\u00001\u00003\u0000-\u00002\u0000a\u00002\u00004\u0000-\u00001\u00001\u0000e\u0000a\u0000-\u0000b\u00004\u00007\u0000b\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u0000\u0000"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_BINARY"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000224" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000224",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000220",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000224" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000220",
+ "key_name": "",
+ "reg_type": 4,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Generation",
+ "value": 1
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_DWORD"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000220" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtDuplicateObject",
+ "arguments": {
+ "desired_access": "0x00000000",
+ "handle_attributes": 0,
+ "options": 2,
+ "source_handle": "0x00000220",
+ "source_process_handle": "0xffffffff",
+ "source_process_identifier": 2976,
+ "target_handle": "0x00000224",
+ "target_process_handle": "0xffffffff",
+ "target_process_identifier": 2976
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetVolumeNameForVolumeMountPointW",
+ "arguments": {
+ "volume_mount_point": "\\\\?\\STORAGE#Volume#{6fb977c0-2a1f-11ea-848b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\",
+ "volume_name": "\\\\?\\Volume{3ebd2744-e569-11e7-b382-806e6f6e6963}\\"
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 1252,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000220" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000224" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000224",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000220",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000224" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000220",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Data",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 2147483653,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000220",
+ "key_name": "",
+ "reg_type": 3,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Data",
+ "value": "\u0000\u0000\u0000\u0000\r\u00f0\u00ad\u00ba\u0001\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u0000\u00e7\u0003\u00ff\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0004i\u00ad\u00ae\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000S\u0000T\u0000O\u0000R\u0000A\u0000G\u0000E\u0000#\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000#\u0000{\u00006\u0000f\u0000b\u00009\u00007\u00007\u0000c\u00000\u0000-\u00002\u0000a\u00001\u0000f\u0000-\u00001\u00001\u0000e\u0000a\u0000-\u00008\u00004\u00008\u0000b\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000#\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00001\u00000\u00000\u00000\u00000\u00000\u0000#\u0000{\u00005\u00003\u0000f\u00005\u00006\u00003\u00000\u0000d\u0000-\u0000b\u00006\u0000b\u0000f\u0000-\u00001\u00001\u0000d\u00000\u0000-\u00009\u00004\u0000f\u00002\u0000-\u00000\u00000\u0000a\u00000\u0000c\u00009\u00001\u0000e\u0000f\u0000b\u00008\u0000b\u0000}\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000{\u00003\u0000e\u0000b\u0000d\u00002\u00007\u00004\u00004\u0000-\u0000e\u00005\u00006\u00009\u0000-\u00001\u00001\u0000e\u00007\u0000-\u0000b\u00003\u00008\u00002\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000\\\u0000\u0000\u0000R\u0000\u00e9\u0000s\u0000e\u0000r\u0000v\u0000\u00e9\u0000 \u0000a\u0000u\u0000 \u0000s\u0000y\u0000s\u0000t\u0000\u00e8\u0000m\u0000e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000N\u0000T\u0000F\u0000S\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u0000\u0000"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_BINARY"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000220" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000220",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000224",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000220" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000224",
+ "key_name": "",
+ "reg_type": 4,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Generation",
+ "value": 1
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_DWORD"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000224" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtDuplicateObject",
+ "arguments": {
+ "desired_access": "0x00000000",
+ "handle_attributes": 0,
+ "options": 2,
+ "source_handle": "0x00000224",
+ "source_process_handle": "0xffffffff",
+ "source_process_identifier": 2976,
+ "target_handle": "0x00000220",
+ "target_process_handle": "0xffffffff",
+ "target_process_identifier": 2976
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetVolumeNameForVolumeMountPointW",
+ "arguments": {
+ "volume_mount_point": "\\\\?\\STORAGE#Volume#{6fb977c0-2a1f-11ea-848b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\",
+ "volume_name": "\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\"
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 1252,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000224" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000220" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000220",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000224",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000220" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000224",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Data",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": 2147483653,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000224",
+ "key_name": "",
+ "reg_type": 3,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Data",
+ "value": "\u0000\u0000\u0000\u0000\r\u00f0\u00ad\u00baA\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u0000\u00e7\u0003\u00ff\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u00e0\u009d\u00b2\u0010\u0004@\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000S\u0000T\u0000O\u0000R\u0000A\u0000G\u0000E\u0000#\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000#\u0000{\u00006\u0000f\u0000b\u00009\u00007\u00007\u0000c\u00000\u0000-\u00002\u0000a\u00001\u0000f\u0000-\u00001\u00001\u0000e\u0000a\u0000-\u00008\u00004\u00008\u0000b\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000#\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00000\u00006\u00005\u00000\u00000\u00000\u00000\u00000\u0000#\u0000{\u00005\u00003\u0000f\u00005\u00006\u00003\u00000\u0000d\u0000-\u0000b\u00006\u0000b\u0000f\u0000-\u00001\u00001\u0000d\u00000\u0000-\u00009\u00004\u0000f\u00002\u0000-\u00000\u00000\u0000a\u00000\u0000c\u00009\u00001\u0000e\u0000f\u0000b\u00008\u0000b\u0000}\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\\\u0000\\\u0000?\u0000\\\u0000V\u0000o\u0000l\u0000u\u0000m\u0000e\u0000{\u00003\u0000e\u0000b\u0000d\u00002\u00007\u00004\u00005\u0000-\u0000e\u00005\u00006\u00009\u0000-\u00001\u00001\u0000e\u00007\u0000-\u0000b\u00003\u00008\u00002\u0000-\u00008\u00000\u00006\u0000e\u00006\u0000f\u00006\u0000e\u00006\u00009\u00006\u00003\u0000}\u0000\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000N\u0000T\u0000F\u0000S\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u0000\u0000"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_BINARY"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000224" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000224",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000220",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000224" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000220",
+ "key_name": "",
+ "reg_type": 4,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Generation",
+ "value": 1
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_DWORD"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000220" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetVolumePathNamesForVolumeNameW",
+ "arguments": {
+ "volume_name": "\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\",
+ "volume_path_name": ""
+ },
+ "category": "file",
+ "flags": {},
+ "last_error": 234,
+ "nt_status": -2147483643,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetVolumePathNamesForVolumeNameW",
+ "arguments": {
+ "volume_name": "\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\",
+ "volume_path_name": "C:\\"
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000220" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetVolumePathNamesForVolumeNameW",
+ "arguments": {
+ "volume_name": "\\\\?\\Volume{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\",
+ "volume_path_name": ""
+ },
+ "category": "file",
+ "flags": {},
+ "last_error": 234,
+ "nt_status": -2147483643,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetVolumePathNamesForVolumeNameW",
+ "arguments": {
+ "volume_name": "\\\\?\\Volume{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\",
+ "volume_path_name": "D:\\"
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000220" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetVolumePathNamesForVolumeNameW",
+ "arguments": {
+ "volume_name": "\\\\?\\Volume{3ebd2744-e569-11e7-b382-806e6f6e6963}\\",
+ "volume_path_name": ""
+ },
+ "category": "file",
+ "flags": {},
+ "last_error": 234,
+ "nt_status": -2147483643,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetVolumePathNamesForVolumeNameW",
+ "arguments": {
+ "volume_name": "\\\\?\\Volume{3ebd2744-e569-11e7-b382-806e6f6e6963}\\",
+ "volume_path_name": ""
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetVolumePathNamesForVolumeNameW",
+ "arguments": {
+ "volume_name": "\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\",
+ "volume_path_name": ""
+ },
+ "category": "file",
+ "flags": {},
+ "last_error": 234,
+ "nt_status": -2147483643,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "GetVolumePathNamesForVolumeNameW",
+ "arguments": {
+ "volume_name": "\\\\?\\Volume{3ebd2745-e569-11e7-b382-806e6f6e6963}\\",
+ "volume_path_name": "C:\\"
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000220" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x7401e5a5",
+ "function_name": "",
+ "module": "comctl32",
+ "module_address": "0x73ff0000",
+ "ordinal": 386
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "LdrUnloadDll",
+ "arguments": {
+ "library": "Shell32",
+ "module_address": "0x76050000"
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2920,
+ "time": 1606943649.661626
+ },
+ {
+ "api": "CreateProcessInternalW",
+ "arguments": {
+ "command_line": "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"",
+ "creation_flags": 67634192,
+ "current_directory": "C:\\Users\\mes-vms\\AppData\\Local\\Temp",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
+ "filepath_r": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
+ "inherit_handles": 0,
+ "process_handle": "0x000001e0",
+ "process_identifier": 1952,
+ "stack_pivoted": 0,
+ "thread_handle": "0x000001ec",
+ "thread_identifier": 2524,
+ "track": 1
+ },
+ "category": "process",
+ "flags": {
+ "creation_flags": "CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT"
+ },
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.677626
+ },
+ {
+ "api": "ShellExecuteExW",
+ "arguments": {
+ "filepath": "http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974",
+ "filepath_r": "http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974",
+ "parameters": "",
+ "show_type": 10
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.677626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000001da" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.677626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x758eead9",
+ "function_name": "OleUninitialize",
+ "module": "Ole32",
+ "module_address": "0x758d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.677626
+ },
+ {
+ "api": "ShellExecuteExW",
+ "arguments": {
+ "filepath": "http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974",
+ "filepath_r": "http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974",
+ "parameters": "",
+ "show_type": 10
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2628,
+ "time": 1606943649.677626
+ },
+ {
+ "api": "CoUninitialize",
+ "arguments": {},
+ "category": "ole",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.677626
+ },
+ {
+ "api": "LdrUnloadDll",
+ "arguments": {
+ "library": "Shell32",
+ "module_address": "0x76050000"
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.677626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000011c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.677626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000120" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.677626
+ },
+ {
+ "api": "NtDelayExecution",
+ "arguments": { "milliseconds": 3000, "skipped": 0 },
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "CreateThread",
+ "arguments": {
+ "flags": 0,
+ "function_address": "0x75b712e5",
+ "parameter": "0x00922640",
+ "stack_size": 262144,
+ "thread_identifier": 3020
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 292,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 12288,
+ "base_address": "0x02570000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 704512,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT|MEM_RESERVE",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 3020,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 8192,
+ "base_address": "0x10000000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 753664,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_RESERVE",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x10000000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 753664,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x10000000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x10001000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x1000b000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 704512,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x100b7000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "KERNEL32",
+ "flags": 0,
+ "module_address": "0x757c0000",
+ "module_name": "KERNEL32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d4977",
+ "function_name": "LoadLibraryA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1222",
+ "function_name": "GetProcAddress",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d42ff",
+ "function_name": "VirtualProtect",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1826",
+ "function_name": "VirtualAlloc",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d183e",
+ "function_name": "VirtualFree",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "msvcrt",
+ "flags": 0,
+ "module_address": "0x75b60000",
+ "module_name": "msvcrt.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b69894",
+ "function_name": "free",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x10001000",
+ "heap_dep_bypass": 1,
+ "length": 40960,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 64,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_EXECUTE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x1000b000",
+ "heap_dep_bypass": 1,
+ "length": 704512,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 64,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_EXECUTE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x100b7000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "KERNEL32",
+ "flags": 0,
+ "module_address": "0x757c0000",
+ "module_name": "KERNEL32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d4977",
+ "function_name": "LoadLibraryA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1245",
+ "function_name": "GetModuleHandleA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d17d9",
+ "function_name": "GetCurrentProcess",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1454",
+ "function_name": "InterlockedCompareExchange",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1432",
+ "function_name": "InterlockedExchange",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1222",
+ "function_name": "GetProcAddress",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d11f8",
+ "function_name": "GetCurrentProcessId",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d11c0",
+ "function_name": "GetLastError",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757ed7ea",
+ "function_name": "TerminateProcess",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d10ff",
+ "function_name": "Sleep",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1420",
+ "function_name": "GetCurrentThreadId",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d110c",
+ "function_name": "GetTickCount",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d16f5",
+ "function_name": "QueryPerformanceCounter",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d8769",
+ "function_name": "SetUnhandledExceptionFilter",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757f770f",
+ "function_name": "UnhandledExceptionFilter",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757fd1f3",
+ "function_name": "RtlUnwind",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757fb2af",
+ "function_name": "OutputDebugStringA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d34a9",
+ "function_name": "GetSystemTimeAsFileTime",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "msvcrt",
+ "flags": 0,
+ "module_address": "0x75b60000",
+ "module_name": "msvcrt.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6de4a",
+ "function_name": "strstr",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6dbae",
+ "function_name": "strrchr",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b9031d",
+ "function_name": "_time64",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b69894",
+ "function_name": "free",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b69cee",
+ "function_name": "malloc",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bb57a5",
+ "function_name": "?what@exception@@UBEPBDXZ",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b714e3",
+ "function_name": "??1exception@@UAE@XZ",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b714f9",
+ "function_name": "??0exception@@QAE@XZ",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bb56cd",
+ "function_name": "??0exception@@QAE@ABV0@@Z",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b7132e",
+ "function_name": "_beginthreadex",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b83557",
+ "function_name": "_CxxThrowException",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bbbf99",
+ "function_name": "_callnewh",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b69790",
+ "function_name": "memset",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b69910",
+ "function_name": "memcpy",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6a42d",
+ "function_name": "_unlock",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6f509",
+ "function_name": "__dllonexit",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6a449",
+ "function_name": "_lock",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b7112d",
+ "function_name": "_onexit",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bb92bb",
+ "function_name": "??1type_info@@UAE@XZ",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b8dc75",
+ "function_name": "_XcptFilter",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6c151",
+ "function_name": "_initterm",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bcb30f",
+ "function_name": "_amsg_exit",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6f76e",
+ "function_name": "isleadbyte",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75c02900",
+ "function_name": "_iob",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b8fa7c",
+ "function_name": "_snprintf",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b84218",
+ "function_name": "_itoa",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75bb22bf",
+ "function_name": "wctomb",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75c03210",
+ "function_name": "__badioinfo",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75c00500",
+ "function_name": "__pioinfo",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6ac15",
+ "function_name": "_fileno",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b74303",
+ "function_name": "_lseeki64",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b74078",
+ "function_name": "_write",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6f383",
+ "function_name": "_isatty",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b7ca0b",
+ "function_name": "_strlwr",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b6a5b8",
+ "function_name": "_errno",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75b83495",
+ "function_name": "__CxxFrameHandler",
+ "module": "msvcrt",
+ "module_address": "0x75b60000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x10000000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x10000000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x02570000",
+ "free_type": 32768,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 704512
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x757c0000",
+ "module_name": "Kernel32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d13e0",
+ "function_name": "CloseHandle",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d5366",
+ "function_name": "CreateFileA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1072",
+ "function_name": "CreateProcessA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757f733f",
+ "function_name": "CreateToolhelp32Snapshot",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d53e4",
+ "function_name": "DeleteFileA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757e107d",
+ "function_name": "GetNativeSystemInfo",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757f2754",
+ "function_name": "GetTempPathA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x779ee0c6",
+ "function_name": "HeapAlloc",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1499",
+ "function_name": "HeapFree",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x779fc7ac",
+ "function_name": "HeapReAlloc",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75856459",
+ "function_name": "Module32First",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75856542",
+ "function_name": "Module32Next",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757fccf1",
+ "function_name": "MoveFileExA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1956",
+ "function_name": "OpenProcess",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757f8ad3",
+ "function_name": "Process32First",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757f882a",
+ "function_name": "Process32Next",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757eecbb",
+ "function_name": "SetFileAttributesA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1136",
+ "function_name": "WaitForSingleObject",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1282",
+ "function_name": "WriteFile",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d1826",
+ "function_name": "VirtualAlloc",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757d183e",
+ "function_name": "VirtualFree",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x75e10000",
+ "module_name": "Advapi32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e240de",
+ "function_name": "AdjustTokenPrivileges",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e53384",
+ "function_name": "ChangeServiceConfig2A",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e533a4",
+ "function_name": "ChangeServiceConfigA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e235e4",
+ "function_name": "CloseServiceHandle",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e53414",
+ "function_name": "CreateServiceA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e23f9a",
+ "function_name": "LookupPrivilegeValueA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e24254",
+ "function_name": "OpenProcessToken",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e22b20",
+ "function_name": "OpenSCManagerA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e22b38",
+ "function_name": "OpenServiceA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e1790c",
+ "function_name": "QueryServiceStatusEx",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e245ed",
+ "function_name": "RegCloseKey",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e213b1",
+ "function_name": "RegCreateKeyExA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e2485b",
+ "function_name": "RegOpenKeyExA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e24843",
+ "function_name": "RegQueryValueExA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e1b254",
+ "function_name": "RegSetKeySecurity",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e213fb",
+ "function_name": "RegSetValueExA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x75e537ff",
+ "function_name": "StartServiceA",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "OpenSCManagerA",
+ "arguments": {
+ "database_name": "",
+ "desired_access": 983103,
+ "machine_name": ""
+ },
+ "category": "services",
+ "flags": {},
+ "return_value": 7204320,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "OpenServiceA",
+ "arguments": {
+ "desired_access": 5,
+ "service_handle": "0x00000000",
+ "service_manager_handle": "0x006dede0",
+ "service_name": "WindowsClientServerRunTimeSubsystem"
+ },
+ "category": "services",
+ "flags": {},
+ "last_error": 1060,
+ "nt_status": 0,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943652.630626
+ },
+ {
+ "api": "CreateServiceA",
+ "arguments": {
+ "desired_access": 983551,
+ "display_name": "Windows Client Server Runtime Subsystem",
+ "error_control": 0,
+ "filepath": "C:\\Users\\mes-vms\\AppData\\Local\\Temp\\%SystemRoot%\\system32\\svchost.exe -k Wcsrss",
+ "filepath_r": "%SystemRoot%\\system32\\svchost.exe -k Wcsrss",
+ "password": "",
+ "service_handle": "0x006deca0",
+ "service_manager_handle": "0x006dede0",
+ "service_name": "WindowsClientServerRunTimeSubsystem",
+ "service_start_name": "",
+ "service_type": 16,
+ "start_type": 2
+ },
+ "category": "services",
+ "flags": {},
+ "return_value": 7204000,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x00000001",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000120",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select",
+ "regkey_r": "SYSTEM\\Select"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegQueryValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current",
+ "regkey_r": "Current",
+ "value": 1
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_DWORD" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegQueryValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\LastKnownGood",
+ "regkey_r": "LastKnownGood",
+ "value": 2
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_DWORD" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000120" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCreateKeyExA",
+ "arguments": {
+ "access": "0x00000006",
+ "base_handle": "0x80000002",
+ "class": "",
+ "disposition": 0,
+ "key_handle": "0x00000120",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem",
+ "regkey_r": "SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Description",
+ "regkey_r": "Description",
+ "value": "This service manages client to server coordination in the local system."
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_SZ" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\DisplayName",
+ "regkey_r": "DisplayName",
+ "value": "Windows Client Server Runtime Subsystem"
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_SZ" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 2,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ImagePath",
+ "regkey_r": "ImagePath",
+ "value": "%SystemRoot%\\system32\\svchost.exe -k Wcsrss\u0000\u0000"
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_EXPAND_SZ" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ObjectName",
+ "regkey_r": "ObjectName",
+ "value": "LocalSystem"
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_SZ" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ErrorControl",
+ "regkey_r": "ErrorControl",
+ "value": 0
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_DWORD" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "GetNativeSystemInfo",
+ "arguments": { "processor_count": 2 },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\WOW64",
+ "regkey_r": "WOW64",
+ "value": 1
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_DWORD" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Start",
+ "regkey_r": "Start",
+ "value": 2
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_DWORD" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Type",
+ "regkey_r": "Type",
+ "value": 16
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_DWORD" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x00000001",
+ "base_handle": "0x80000002",
+ "key_handle": "0x0000011c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem",
+ "regkey_r": "SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegQueryValueExA",
+ "arguments": {
+ "key_handle": "0x0000011c",
+ "reg_type": 3,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions",
+ "regkey_r": "FailureActions",
+ "value": "<INVALID POINTER>"
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_BINARY" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegQueryValueExA",
+ "arguments": {
+ "key_handle": "0x0000011c",
+ "reg_type": 3,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions",
+ "regkey_r": "FailureActions",
+ "value": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000"
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_BINARY" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 3,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions",
+ "regkey_r": "FailureActions",
+ "value": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0014\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000"
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_BINARY" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000011c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCreateKeyExA",
+ "arguments": {
+ "access": "0x40000000",
+ "base_handle": "0x00000120",
+ "class": "",
+ "disposition": 1,
+ "key_handle": "0x0000011c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters",
+ "regkey_r": "Parameters"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x0000011c",
+ "reg_type": 2,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll",
+ "regkey_r": "ServiceDll",
+ "value": "%SystemRoot%\\csrss.dll\u0000\u0000"
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_EXPAND_SZ" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000011c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000120" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x00000006",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000120",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem",
+ "regkey_r": "SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\WOW64",
+ "regkey_r": "WOW64",
+ "value": 1
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_DWORD" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCreateKeyExA",
+ "arguments": {
+ "access": "0x40000000",
+ "base_handle": "0x00000120",
+ "class": "",
+ "disposition": 1,
+ "key_handle": "0x0000011c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters",
+ "regkey_r": "Parameters"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x0000011c",
+ "reg_type": 2,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll",
+ "regkey_r": "ServiceDll",
+ "value": "%SystemRoot%\\csrss.dll"
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_EXPAND_SZ" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000011c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000120" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x00000006",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000120",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem",
+ "regkey_r": "SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\WOW64",
+ "regkey_r": "WOW64",
+ "value": 1
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_DWORD" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCreateKeyExA",
+ "arguments": {
+ "access": "0x40000000",
+ "base_handle": "0x00000120",
+ "class": "",
+ "disposition": 2,
+ "key_handle": "0x0000011c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters",
+ "regkey_r": "Parameters"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x0000011c",
+ "reg_type": 2,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll",
+ "regkey_r": "ServiceDll",
+ "value": "%SystemRoot%\\csrss.dll"
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_EXPAND_SZ" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000011c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000120" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x00000002",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000120",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost",
+ "regkey_r": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegSetValueExA",
+ "arguments": {
+ "key_handle": "0x00000120",
+ "reg_type": 7,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\Wcsrss",
+ "regkey_r": "Wcsrss",
+ "value": "WindowsClientServerRunTimeSubsystem\u0000\u0000"
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_MULTI_SZ" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000120" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "LookupPrivilegeValueW",
+ "arguments": {
+ "privilege_name": "SeSecurityPrivilege",
+ "system_name": ""
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000120" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "LookupPrivilegeValueW",
+ "arguments": {
+ "privilege_name": "SeRestorePrivilege",
+ "system_name": ""
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000120" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "LookupPrivilegeValueW",
+ "arguments": {
+ "privilege_name": "SeTakeOwnershipPrivilege",
+ "system_name": ""
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000120" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x01040000",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000120",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem",
+ "regkey_r": "SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000120" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x00080000",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000120",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem",
+ "regkey_r": "SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000120" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x01040000",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000120",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem",
+ "regkey_r": "SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000120" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegOpenKeyExA",
+ "arguments": {
+ "access": "0x00080000",
+ "base_handle": "0x80000002",
+ "key_handle": "0x00000120",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem",
+ "regkey_r": "SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000120" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x757c0000",
+ "module_name": "kernel32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757f9796",
+ "function_name": "GetSystemWindowsDirectoryA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "GetSystemWindowsDirectoryA",
+ "arguments": { "dirpath": "\u0000GetSystemW" },
+ "category": "file",
+ "flags": {},
+ "return_value": 11,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "GetSystemWindowsDirectoryA",
+ "arguments": { "dirpath": "C:\\Windows" },
+ "category": "file",
+ "flags": {},
+ "return_value": 10,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "SetFileAttributesW",
+ "arguments": {
+ "file_attributes": 128,
+ "filepath": "c:\\Windows\\csrss.exe",
+ "filepath_r": "c:\\windows\\csrss.exe"
+ },
+ "category": "file",
+ "flags": { "file_attributes": "FILE_ATTRIBUTE_NORMAL" },
+ "last_error": 2,
+ "nt_status": -1073741772,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x757c0000",
+ "module_name": "kernel32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x757f9796",
+ "function_name": "GetSystemWindowsDirectoryA",
+ "module": "kernel32",
+ "module_address": "0x757c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "GetSystemWindowsDirectoryA",
+ "arguments": { "dirpath": "\u0000GetSystemW" },
+ "category": "file",
+ "flags": {},
+ "return_value": 11,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "GetSystemWindowsDirectoryA",
+ "arguments": { "dirpath": "C:\\Windows" },
+ "category": "file",
+ "flags": {},
+ "return_value": 10,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "SetFileAttributesW",
+ "arguments": {
+ "file_attributes": 128,
+ "filepath": "c:\\Windows\\csrss.dll",
+ "filepath_r": "c:\\windows\\csrss.dll"
+ },
+ "category": "file",
+ "flags": { "file_attributes": "FILE_ATTRIBUTE_NORMAL" },
+ "last_error": 2,
+ "nt_status": -1073741772,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 5,
+ "create_options": 96,
+ "desired_access": "0x40100080",
+ "file_attributes": 6,
+ "file_handle": "0x00000120",
+ "filepath": "c:\\Windows\\csrss.dll",
+ "filepath_r": "\\??\\c:\\windows\\csrss.dll",
+ "share_access": 1,
+ "status_info": 2
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OVERWRITE_IF",
+ "create_options": "FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE",
+ "file_attributes": "FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM",
+ "share_access": "FILE_SHARE_READ",
+ "status_info": "FILE_CREATED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "CreateThread",
+ "arguments": {
+ "flags": 0,
+ "function_address": "0x75b712e5",
+ "parameter": "0x00922640",
+ "stack_size": 0,
+ "thread_identifier": 1980
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 284,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 12288,
+ "base_address": "0x02570000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 671744,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT|MEM_RESERVE",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 1980,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "NtWriteFile",
+ "arguments": {
+ "buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0001\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u007fP\u00ea\u00f0;1\u0084\u00a3;1\u0084\u00a3;1\u0084\u00a3(9\u00ed\u00a391\u0084\u00a32I\u0011\u00a3=1\u0084\u00a32I\u0017\u00a391\u0084\u00a32I\u0007\u00a3\u00061\u0084\u00a3%c\u0000\u00a381\u0084\u00a3\u00f8>\u00d9\u00a3>1\u0084\u00a3;1\u0085\u00a3D1\u0084\u00a32I\u0000\u00a3*1\u0084\u00a3\u001c\u00f7\u00fa\u00a3:1\u0084\u00a3 \u00ac+\u00a341\u0084\u00a3 \u00ac\u001f\u00a3:1\u0084\u00a3 \u00ac\u0019\u00a3:1\u0084\u00a3Rich;1\u0084\u00a3\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0003\u0000\u001f\u00e7}8\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0002!\u000b\u0001\n\u0000\u0000@\n\u0000\u0000\u0010\u0000\u0000\u0000\u00a0\u0000\u0000\u00b0\u00d8\n\u0000\u0000\u00b0\u0000\u0000\u0000\u00f0\n\u0000\u0000\u0000\u0000\u0010\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000b\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000@\u0001\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u00c8\u00f0\n\u0000\u0084\u0000\u0000\u0000\u0000\u00f0\n\u0000\u00c8\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000L\u00f1\n\u0000\u0018\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a0\u00e4\n\u0000H\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000<t\n\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000UPX0\u0000\u0000\u0000\u0000\u0000\u00a0\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0080\u0000\u0000\u00e0UPX1\u0000\u0000\u0000\u0000\u0000@\n\u0000\u0000\u00b0\u0000\u0000\u00006\n\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0UPX2\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u00f0\n\u0000\u0000\u0002\u0000\u0000\u0000:\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00003.91\u0000UPX!\r\t\u000e\nhX\u00d7\u00e7\u00f5p\u00f9\u00ae\u00e0\u00bc\n\u0000\u00a3(\n\u0000\u0000\u0086\n\u0000I\u0001\u0000:\u001a\u0003\u00004\u0000,\b\u00d1\u00fb\u0088\u00edfs\u0090\u00de?\u0015\u00b7\u00f0\u008e\u0016\u00fc\u00cd\u000eB3\u000f-j\u00a6\u00c4\u00ec\u00bc\u0006\u00fa\\7\u00fbA\u008c\u0099\u0016\u0094\u00dfG\u0005\u0095\u00e2\u00d4o4E\u008e\u00fd\u0016r\u00d8 H\u00e8\u00a2\u00ea*\u001e\u00dd.\"\u000e\u0088\u0085\u00131\u00ef\u00b6\u0001j|\u00bd\u00a2\u00a9\u00be\u00d6\u00ba{3\u0018\f\u00a9\u00f4\u00c5\u00e3\u00d8\u00cf\u00b5+\u0011\u0097\u00e9\u0016\u0082u\u00d5\r\u0090>\u00ae$\u00e4\u0084f!\u00ecP\u00b3\u00b3\u00dao \u0086\u0099@\u00de8'\u00a6c\u00f0\f\u008c\u00a5\u00d4\u001fr\u0087\u00b7-+x\u008aF\u00aa\f\u00a0\u00cbz<\u00ca7\u0003\u00bf\u00f0Fs&s\u00bfJ\u0000J\u0094N\u00d1\u00df\u00bc\u00a1\u0093\u00d5\u0094<\u0094\u00a3'>&\u0014Oa`\u0012C\u0013\u008b\u0087\u0006\u00cf\u00aa\u00fe8c\u00dbQ\u00ad\u009a-%B:G\u00ef\u0083\u00b9F\u00fd\u0080\u0017Z\u00a7Ko\u00a5\u0084\u00f0v\u0094\u00c1\u0017\u00c4\u0015X\u00b8L\u00b11\u0087\u00dd'X'\u00cd:\u00bb\\O\t\u00e9\u0083\u00ea\u00b9\u008a\u00ae\u00dc\u00be\u0018$wQ@{\u00a4\u00e2\u0098\u0019@\u0015\u00b7r\u00f3\u00f3\u00ae\u00b9\"uj\u00a4i\u00fe\u00817:\u00c7\u007f=p\u00f6\u0001\u00f5qK\u00ecx\u00aa\u00fcsR\u0017y\u001f\u00b0\u00ff\u00c7!\u0094\u00c6\u00e2\u00e0\u0014l\u0012\u00da\u0000v\u001b\u000b\u0015R!T\u008dG\u00ff\u00c319\u0093\u00c5n\u0013\u00a9\u00d5l\u008e\u008e\u0086U[\u0086\u00f1\f\u00b8\u0016\u00aeN\u0006 -\u00ef\u00a8\u00ea\u000fi\u00cd?\u00bc\u001a\u00b7F]\u001e\u00e1\u00e1\u00e2\u00a8\u00f7E\u00e3\u00c53\u00b9b\u0012\u00cf\u00f4J\u009f\u0013]\u00c6.\u00ffc\u0013\u008cAn2\u0007\u0088\u00e1\u00f4n!0\u00e10z\u00ab\f\u0001/\u00a2\u0087bu\u00b6\u00d3WN\u00c9\u008b\u00d8\u001f7Qh\u00e2\u000bk\u00e8VS])\u0007\u00e6H\u0004\u00a4\u0014p\u00a6\u00b3P\u00b7\u00cb\u00f0O\u0001\u00e6M\u007fL\u00a4-\u0019\u0012\u001eN\u009e\fa\u00c25\u0002\u00e4=e\u00e8\u00deJ\u001aM\u00e8;,\u00e2@26M&J\u00d7\u00b7\u00d6\u0085\u009f\u00bb\u00b0\u0098\u00b8c\u001d\u00a1E\u00e3\u00dfW\u00e5yP\u00e3\u00ec\u00fc\u007fu\u0004\u00bc`)\u00eb\u00f8\u00a8\u0093^\u0088\u00ac\u00bc!\u00f3\u0019\f\u0011P8ZI\u00e4/U\u00ef\u0099\t\u00c0\u00e4v\u0001\u0086JU\u00a8\u00f6Y\u0090\u0084\u0016+\u00ebZ\u00a7'^Z{\u00ed\u001eT\u00d4\u0083\u0081\u00d0\u00ec\u00d2\u0098\u00aaL\u00c9\u00aa\u0083X\u00cfT\t'\u00c7\u00d9\u0013[\u0093F\u00be/\u00e3\u00c4\u00d85\u00beR\u00a1\u00ec\u00c3\u0019wEu\u00bb\u00b4(\u00d0\u00a0\u0095_\u00d0u\u00fd\u00f5\u001e\u00c1\u0003eX\u00bd\u00925\u0003\u0089\u00c5\u00aa9\u0007P\u008c\u0015\u00e8\u00ea\u00a8U-\u0010\u00c2\u00c3\u001c\u00c3\u00a3\u00df\u00ef\u0014\u009c*\u0001u\u0001\u00e0\u00b3wd\u0012\u00f5]'\u0002\u00f0\u00bbV\"\u009e\u009d\u00e6\u009b\u0012\u0019\u0013<:]\u001c\u00c4\u00cf\u00d9\u00ed\u00d1j\u0081\u0003\u00adZ&`$\u009f\u00b2*\u00a10\u00f3\u00d97\u00b7\u00bc\u00f9\f\u0014+M\u0011l\u00b32\u00d4\u0010\u00c9V\u00ce\u00f2\u00abO\u00caNx\u008b\u00ac1A\u00e9OxQ\u00df\u0016\u00af\u00c7O*\u00df\u00e1\u0080\u00fa\u0098\u0096(2&\u00a4\u00b0\u00f102\\\u0019\u0013li\u00eax\u008c\\C\u0094\u00ef\u00a8\u00a4\u00b1b|r\u00b9\u00f9\u00aa7\u00c9)\u00c5m\u00e6\u00a9\u00c9c\u0010\u00fbj\u00f5\u009d\u00b9\n\u00e4\u001a\u00f6\u0019\u00ae\u0091\u00a5\u00ef{R\u00e4\u00b7J\u00c7-\u0089\u00b3\u00b4pq\u00ddw\u00b68\u00ea\u009a\u0087k\u008ck\"X\u00bcoAwU\u00f6x\u0007[/\u00da\u00f5s\u00a0\b\u0090\u00d3\u0003\u00de\u0086\u00c1\u0084\u00c7\u00010\\\u00db\u009a\u00c1F{W;\u0006n\u00b4\f\u0012\u00fb\u00c0d\u00f3\u0018\u00e0ho\u00d3\u00ceA\u00b8\u0098\u00b7\u001c\u00ca\u008a2`.\u00f2\u00d0;\u0095/\u0015Q\u009eX\u009d|\u00eb\u0018Fs\u00f8\u00aa;\u00ae\u001c\u0011K\u00f9\u000f\u007f+\rM\u001f`\u009a\u00e2#\u00ca\u00b1\u00d3\u0094#\u0003^\u00ae\u00ce\u00f4e\u0090\u00b2\u00e6y\u0011\u00151\u00c3\n\u0011\u00ac\u008a\u00d4\u00ccM\u001bdd\u0082t\u0013\u00f5@\u00ddB\u0083Z\u001bs8F\u00b53\u00e4\u0017\u00ff\u00ab\u00c0-\u00d3!\u0088\u001cb\u001f\u001c_\u0089I|Q\u00b2\u0092\u00ddI*\u008f\u00af\u000e\u001f\u008f\u00ff8\u009c\u00d6\u00dc\u00b1\u0087l\u00c8\u007f\u0089p\u0099Ot\u00bf4\u00a5C\u00e9\u00a9p\u0089\u00ee\u0017\u0013\"\u0018M\u00e4\u00d4HC\u0015H\u00f6lj\u0017v;5\u00d1\u008e:\u001e_\u00ca\u00f2\u0093c\u00ff\u0014\u00d3\u00acf\u00e7\u00c5-\u0018\u00d3\u0097\u0002P\u00ef\u00a5^\u0098\u000ec\u00fb\u0083R\u00efF|\u00adix(\u00d2B\u00ed\u00a4\u00d0\u00b7\u00d0\u00bf\u0089^6\u0011\u009c\u0087\u00f15\u0016~k\u001bD\u0097\u0014\u0015\u00ab7\u0088\u00b5\u00f5\u008f\u00e1\u0080T>\u00de\u008d\u00e6+\u00e0x/\u009f\u009f\u0083'\"\u00e6_|\u00ef\u00c2\u0080\u00b7M('\u00b1\u0003\u001e\u0081\r\u00e6\u008f@CG\u00c3^2\u00a9\\\u00d3!\u00dd2$f\u008d\u00ca.\u00871k\u00f7\\.\u00a9rY\u00b7\u0097i\u00e1E\u0084\u008dVb{\u0095*^x\u009eQ\u00e0(\u00f6\u0015b%_\u0096KNs\r\u0091\u0097\u00ef\u00eb}/\u00d5L\u00c5c\u0081U\u0018e&+\u00f60\u00de\u0095$\u00fd /\u00e3\u0085\u0088)/\u00d1c\u00c2\u00a2PEi=qY\u00c8\u008f\f\u00a0\u0082\u0084\u00c3\u00cb\nj\u00b0)r\u00f2\u0092\u00fd\u00f3\u00de\f\u00a0Y\u00e3d0S\u00f1b\u008a\u00c6\u008c\u00c3\u00cf\u00b9M\u0086\u00d63(K<\u00d8a[8\u0016\u00dc+Ja\u00ff\u00d4\"\u0003.AT\u0011f\u00c4\u00afsS\u008b\u00e4C*\u00bc\u00fe\u00bb\u00a1\u001a\u0087_p9U?\u00da}R\u00cc\u009a\u008cr\no\u0084\u00a3\n\u0090\u00e1\u00ad\r\u001dwk\u0000\u00e5_|)\u0083V>\u00ac\u0081N\u00e8\u00ca\u000e\u008f\u00b3\u00d6l\u00fcl1\u001b\u0011\u00c5\u0013\u0007s\u00fd\u00e0z\u00b2\u00ee\u001c5=\u00b5.;\u00ee\u00b1\u001d\u0098\u008d\u00f5_\u00f9\u0087&\u009e?.\u0087\u00d1\u00e5\u0091\u00fb\u0096g\u001fcu;\u00fe\u00fev\u0018PUGe\u00c6\u008f+\u0081\u00b8>\u00d3\u009a\u00a8\u007f\u00bfGD\u00c0\u00ed\u00af\u00bb\u00f0Y\u0005\u00b9\u0016\u009d_\u0080\u00c6j^\u00f8x\u00d8h\u0017|b\u00c7?\u0086!\u0082M\u00afj\u00c7\u00d0\u00e9b\u0007\u00eb\u00b3]\u009e\u009cK\u00d9\b%\u0097\u00d5\u00b5\u00df\u00af\u00e4\u0095\u00f1z\u00e7\u0099\u00b1]\u00fae%\u00e1\u00a3\u0011=}]lA[a \u009c\u00a5\u00cd\u00ab\u00f1 \u00e2\u009b\u0001\u00df\u001a;tm\u00e9~\u0085\u00a2\u00f1\u009f\u00f91\u00d8\u00d2\u00d9\u001a\f\u009aC\u00b0R\u0084|f\u000f\u0099\u00bd\u00e3\u00ef\u00da\u001bA\u00f2\u00ed\u00e5\u0015B\u0011u\u00ae\u00ae\u00ae\u00f2\u00f1a@.>\u0013\u0098\u00ffy)\u009e\u0001\u00a8^\"\u00df\u00e13\u00d6\tl\u00e59X\u00ac\u0096\u0090\u00df\u0013\u0084\u00db\u008eX\u00dd\u00c2\u00f8\u00edr,\u00ea[&\u00e6A\u00cb0\u0006\u00a5\u00c1$\u00a2B\u0002?z\u00e7\u00c7\u0013\u00c1C!\u009d\u00d9\rRU\u0019\u009c-\u00b6\u00bfDs\u00a0\u0093YE\u00c4\u00f6\u00e8T,f\u00cf4\u000b\u00f4\u00b5\u00fb\u00ce\u0002a\u00a8\u009bS\u0097\u001b\u00cb9:\u00e2\u00bf\u0089\u00fcG\u00b0sssyNx\u00f7\u0088u\u00c8\u00cc\u00d2\u00f7\u0092\u00d2\u00b3\u009e\u009a\u00f2c\u00ff\fl\u0099\u0011\u00f0\u00ed~hY)\u00bfr\u00d9\u0006\u00ac\u00daU\u0004\u00d0o\u00f0H\u00fd\u0003\u0010k\u0002S]k_o\u009c\u0087\u001a\u00c0\u00e0\u00f4E\u00a5\u00bd\u00b6D\u000e\u00ee\u00f9*\u0081+L4\u00058\u00c1\u00db9i\u008f\u00b9R}\u00c1\u00c8\u00a1\u0081\u00b0r\u0003z`H\u00d9\u00ca\u00f7}0\u00b2+Y\u00bd\u00dd\u008at\u009e\u001d\u00fd@\u00b7\u00de\u0082\u00c7\u00fe\u0000 \u00edb\u00a0>f\u00c9\u00eb&DGD\u0083i\u00cf9O\u001b\u001d\u0004&|g\u00d1\u00bb\u00dc\u00b5>b0p\u00d6A\u0083\u00ea\u009a\u00a4\u0092)\u008e&\u00ca8w\u00d9-\u00aerz\u0003\u0018\u00d7\u009e\"\u0013v\u00e6c=\u009c0\u00c4:\u00b5\u0089|\u0093q.\u0017\u00f2\u0000\u00c6\u00a9`\u00e0-\u0017\u00c32\u000e\u0016\u00d8t\u00cd\u00c0=\u001a\u00b0\u0093\u0081\u00c5e\u00c0\u00d5x\u00e3\u0019\u00839\u0015\u00c0\u001f\u0005\u00b0\u00d4\u00d5\u0097\u00ec\u00c7\u00af\rIknKK\u0083Wo\u008c:\t`\u00ae\u00db\u00f2j*\u009b]\u009b\u00c8\u008c\u0018(C+\u00cc/\u00cd\u0016\u0083S,\u00d5\u00f3c\u0018\u0007c9\u0002\u0011\u00eb\u00d7/9(\r\u00acU_\u001a\u00db\u00904r\u0000R\u00f2\u0019+\u00f8\u00ee\u0016\u00f2\u001d\u00e0\u0097\u00c2*]\u00d9sv\u001b\u0096\u0099\u009a\u0095\u00c6\u00df]\u00a5\u00a1R\u0017}\u00882\u0016~3a$\u00d8\u00dd\u00f8\u00ed\f\u00edO\u0088\u00ebx\u00f2\u00ce\u00bds\u00d5\u00ba5\u00e5\u00ba\u00c6\u0016!\b\u00de\u00e0\u00b0\u00ce\u00fb\u00e9\u00e4\u00a1\u00f9\u0012\u00a0\u0091\u00e1\u00aa\u0018}\u00f5\u0018 \u00c4\u00fc1\u00f1ti\r\u00b1w\u00830\u008f\u00a8\u0086\u00e10P\u00e4\u0088\u00dc\u00c0.,-\u008f^\u00b8/\u0013\u00ee\u0094!y\u00c3\u00d2\u008e\u00ab\u00ff7L\u00ef\u00c7\u00af\u0014\u00d0\u00e8\u00f0u\u00de\u0092`\u0007a\u0091v\u00c2\u00a64\u0098\u00c9y\u008e\u00cf\u00bf4^\u00908\u00dd>Hm\u00c2\u00a2\u0091K\u0004;}\u0006\u0095+>.\u0012E\u00d7[\u0095\u00ea&\u00e9\u0004\u00b4\u00c3\u00ba'\u001f\u00a5A\u00edQ-n\u00ee\u0098d\u00a6\u00b9vd\u00e1\u0082\u008f\u00daC\u00f6&m\u00b9\u00ff\u00e5\u00ea:\u00ca\u001e]\u00cf8V\u00fe\u0019\u00a3\u0096\u00ccv\u00d3\u00e4\b,\u00e1\u009dM\u0094l\u00146&\u001bH4d\\K\u00b6A\u00ff\u001d\b\u0097>\u00b3\u0001\u0087\u00a0{\u0017qr\u00f9\u0007HY\f\u00db\u00df\u00e2\u009e\u00aa(/a7M\u00d7H\u0007\u00cb\u00c3Yo\u0081;L\u009b7\u00be\u00fc\u009c<\u00ec\u00cb\u00fa\u00d3<>n\u00d8.L\u000ej\u0097D&\u00a4C`H\u0085\u00b0?1\nR>\u0010\u00daVstoUbO:\u00dd\u001a\u009a\u00b3%HA\u00ce\u0014\u00a9O\u00b7\u00d6\u00b6\u00da71\u00b0v\b.\u00e3g\u00b4\u001c\u00bar\u00f43\u009dl\u009d\u00a3\u00d1\u00d5\u00c5\u0004C\\\u0083 ft\u00d9E\u0083U,%\u00c5P\u0084\u00e5E\t\u00ec\u000e\u0004\u00e0$\u00a9\u00ac\r7\u00a0\u00e1\u00b7jg\u0086\u00978 t>\u00d7\r\u0081\u00d1\u00ac\u008c\u00c33[}\u00c5\u00d2\u00fa\u00cbNb\u00e4U><o\u00af~\u00fdWhAK{^\u001aq\t\u0082G\u0013\u0004\u00b6\u000b\u00e5\u00f5<\u00ff\u00a39cV\u009d \u00de\u00e9\u00d2?\u0097\u00dca\u001fA=\u0000]\u00d98@\u00b8\u00e5\u000e\u00e7\u00ffZ\u0002\u00d5\u00f3A\u0004kw\u0091\u00eb\u00a0\u008b\u0012X\u00ccr\u00c2 \u001d\u00adv\u00d3 \u00eeWL\u00ee\u00b8\u00d3P\u0081\u0083\u00fb\u00b7\u00fa\u00a5\u00a1\u00cd\u00ab'~`/}\u0010\u00f3\u001f}\u00a3-;\u0086\u00f8\u00b8\u00d1rGF\u00ad\u00b5\u0010\u00b46\u00a2\u0000\u00b4\u00ef\u00f3\u00f3\u00a1\u00eb\u009c?\\\u008fl\u0001\u0099(\u00a1\u00ec\u00c0\u00df\u00fe\u00e4kh|\u0094\u00e1`|\u0081\u00cf_\u0013K\u009f\u0085g\u00b9l\u00ca\u001d\u00dd3\u0002\u00b1\u00d3\u0081\u007f\u00f2d\u001d\u00c3\u001d\u00cc\u0095ob\u00d5\u0001\u0098\u00a3d7\u00a7\u00cb\u0093\u0093\u0005o\u00b6\u00a7\u0096\u00e1\u00c5\u0091\u007f\u0090:\u00d2\u00dfX\u0092\u00e2\u0018\u00b6\u00c2$d\u00ce\u00ea\u00b8p\u00a0\u009d\u00aa\u0003\u00ec\u001bi\u00eeU\u00ae\u00b51\u0002N`Fa\u0092\u001a_\u00ad\u00b2.\u00d4<\u00cfs\u007fx\u00ceA>\u00a9\u00c8D\u000bu\u0081\u009f\u00b6\u0093\u0088\u00c1\u00fb\u00bb\u00b5\u00df6\u0089\u00b7\u00a7\u00ec&A\u0018\u00ab\u0094\u0019\u00e2\u0095\u00b6(\u008f\u00d4d\u00e0\u00bd@\u00b7\u00e8\u0081\u00f0|K\u00a5n\fG\u0096\u00b9l\u00cbK_\u00c8\u00cd\u0080{\u00f3\u00c6\u009dk\u009a\u00ce\u00d3\u009b\u00a4\t$\u007f|k\u00df\u00e7t\f\u0012\u00b4'\u0088\u00c1\u00ba\u00b3\u00cbGw\u0002\u00a1\u00c3\u00acE\u0090\u00e6\u00af\u00cb\u00bf\u00beW\u009d\u009d\u00fa\u00e5\u00e4\u00b3d.\bl\u0011\u0085\u00d4\u00afo\u00d2\u0015\u00d4\u008a\u0015\u00fb\u00d0\u0086R}o\u00fe7\u00faZ\u00a1^\u00d8`/n\u00c0\u0002\u008c\u00ea\u00e3\u00f5\u009f\u00d3E\u0012\u001b\u0098\u00ecIT\u00f1-\u00af\u00ca\u0090\u00c8\u00c0-z\u00f5\u00be\u00f7\u0087\u00af\u00f1Q\u0017\u00aa\u00f3(\u000f\u00e2\u008fp\u00a9\u00e5w2\\!qlQ\u0094B\u00c3:\u00e6\u008c\u0019\u008a\u00fb\u00fe\u0093\u00e0M\u00c8o\u0007;\u00d61\u00e2\u00ee\u00a4H\u00d0\u00ca\u0012Nb\u00bb\u00f8\u00c9R\u0092\u00da\u0083B9\u00d8\u00a6u\u00b7\u00ea\u0086\u0017\u00b1\u00cd)ss\u00b5Y\u00af\u0019'\u00ab\u00f6<7\u00a4^\u00ae\u00eel\u00b8y\n\u0014\u00cf\u00ecsk\u00af\u00fa\u0082J\u00bd\u001f\u008c7rd%\u00d1%9`\u0087g#\u001d\u0098\u0082i\u00f3\u00c3W\u0084q\u00e1\u00ec\u00cb+\u00d6\u0085\u008c\u00f6q\u00e2\u0091\u00f6\u001du\u001f\u00fc\u00e1\u00a8]\u0081\u00d2\u00eac#\u00d6\u0095}|\u008d\u00cd\u00db\u00aaEy\u00f1\u0098]\u00bf\u00c5\u001d\u008da\u00c8\u0012\u008e\u00a8\u0080]\u00fe>\u00910Sqo\u00fbC\u00913i\n\u00b2\th_\u0086b\u00b2\u0012\u00dfX\u001c\u0018\u0006\u0007d?\u00cb\u0013\f>\u0019C\u000bI\u00132'\u00db]9\u0082\u0088\u0097\u0080\u00ff\u0005\u00c6|w\u0003\u00e6\u000euE\u0000\u00ab<8\u008d\u00a5\u0094\u00ac\u00e7\u00ceo#\u00eazz\u00eb\u00e3\u00f2W\u00dbb\u0080\u009a\u00aa\u0014_\u00d1\u00ee\u001f\u0014\u00d2g\u00d85\u00d4\u00fc\u00ccIV\u0091\u0098\u00fe\u00edqC=\u00e6\u000er\u00ce\u00a3\u0014\u0018\u00e5|\u00b2o\u00d5\u00ac\u001f@\u0007\u00ad\u001bca\u008c\u0013\u00d2\u00da\u009c\u00fc\u008bp}mQ\u00e1\u008f\u00e7\u00f2\u00c5\u00f5\u00ac\u00e4$g\u00b7\u00bf\u0001m\u00d8\u00fa\u0006V\u00a0\u00990\u0083\u00ba\u00df\u009c\u00b5\u001cn^6\u00d9v\u00fc\u00aa\u00fc\u00aeP\u00be1\u00c5\u00d7 \u0084\u00e4@\\D-\u000b\u00ac\u00cf\u00d4i/\u001b7#\u00bbxo\u00b6I\u0012\u00d7P\u00e9\u00c0\u00dfL\rn\u00bf\u0081\u0083\u0000\u00a1\u00f1\u00b7\u00b9\u00ca\u00a5\u00f3%[\u009f\u00b4\u0018\u00d9\u00de\u0010",
+ "file_handle": "0x00000120",
+ "filepath": "C:\\Windows\\csrss.dll",
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000120" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x02570000",
+ "free_type": 32768,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 671744
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "OpenServiceA",
+ "arguments": {
+ "desired_access": 16,
+ "service_handle": "0x006deca0",
+ "service_manager_handle": "0x006dede0",
+ "service_name": "WindowsClientServerRunTimeSubsystem"
+ },
+ "category": "services",
+ "flags": {},
+ "return_value": 7204000,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ {
+ "api": "StartServiceA",
+ "arguments": {
+ "arguments": [],
+ "service_handle": "0x006deca0",
+ "service_name": "WindowsClientServerRunTimeSubsystem"
+ },
+ "category": "services",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000140" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x742d36a0",
+ "function_name": "CryptReleaseContext",
+ "module": "CRYPTSP",
+ "module_address": "0x742d0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x00000000",
+ "module_name": "mscoree.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x00000000",
+ "module_name": "mscoree.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 3221225781,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtTerminateProcess",
+ "arguments": {
+ "process_handle": "0x00000000",
+ "process_identifier": 0,
+ "status_code": "0x00000000"
+ },
+ "category": "process",
+ "flags": {},
+ "last_error": 126,
+ "nt_status": -1073741515,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtTerminateProcess",
+ "arguments": {
+ "process_handle": "0x00000000",
+ "process_identifier": 0,
+ "status_code": "0x00000000"
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000210" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000020c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000218" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000214" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000204" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000200" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001c0" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001c4" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000000" },
+ "category": "system",
+ "flags": {},
+ "last_error": 126,
+ "nt_status": -1073741515,
+ "return_value": 3221225480,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000000" },
+ "category": "system",
+ "flags": {},
+ "last_error": 6,
+ "nt_status": -1073741816,
+ "return_value": 3221225480,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x77a191e2",
+ "function_name": "UnregisterTraceGuids",
+ "module": "api-ms-win-downlevel-advapi32-l1-1-0",
+ "module_address": "0x76ca0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x7552e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001bc" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001b8" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001b0" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001b4" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000001ac" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000174" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000194" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000198" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000019c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000001a0" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000001c8" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000001cc" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000001a4" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000001a8" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000160" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x00660000",
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "region_size": 28672
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000170" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000016c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x00670000",
+ "free_type": 16384,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 4096
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x00670000",
+ "free_type": 32768,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 65536
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x00610000",
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "region_size": 4096
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000164" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x004d0000",
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "region_size": 8192
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000150" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000014c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000013c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "LdrUnloadDll",
+ "arguments": {
+ "library": "PROPSYS",
+ "module_address": "0x74190000"
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x77a191e2",
+ "function_name": "UnregisterTraceGuids",
+ "module": "advapi32",
+ "module_address": "0x75e10000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000138" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000114" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000128" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x00727000",
+ "free_type": 16384,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 65536
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x0071e000",
+ "free_type": 16384,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 16384
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x006f8000",
+ "free_type": 16384,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 12288
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x00709000",
+ "free_type": 16384,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 4096
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x00712000",
+ "free_type": 16384,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 8192
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x0071a000",
+ "free_type": 16384,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 4096
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x00702000",
+ "free_type": 16384,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "size": 4096
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000084" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000050" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x740212b3",
+ "function_name": "",
+ "module": "comctl32",
+ "module_address": "0x73ff0000",
+ "ordinal": 321
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00702000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x00712000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 8192,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0071a000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000007c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000070" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000074" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000078" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000080" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x00380000",
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "region_size": 4096
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000108" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000158" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000006c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000068" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "LdrUnloadDll",
+ "arguments": { "library": "IMM32", "module_address": "0x75f10000" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000068",
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000068",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": -1073741816,
+ "return_value": 3221225524,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000068" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000040" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000044" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000b8" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000038" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000003c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.661626
+ },
+ {
+ "api": "NtTerminateProcess",
+ "arguments": {
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "status_code": "0x00000000"
+ },
+ "category": "process",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741816,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943652.661626
+ }
+ ],
+ "command_line": "\"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe\" ",
+ "first_seen": 1606943648.427626,
+ "modules": [
+ {
+ "baseaddr": "0x3c0000",
+ "basename": "Win32.DarkTequila.exe",
+ "filepath": "C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe",
+ "imgsize": 933888
+ },
+ {
+ "baseaddr": "0x779c0000",
+ "basename": "ntdll.dll",
+ "filepath": "C:\\Windows\\SysWOW64\\ntdll.dll",
+ "imgsize": 1572864
+ },
+ {
+ "baseaddr": "0x757c0000",
+ "basename": "kernel32.dll",
+ "filepath": "C:\\Windows\\syswow64\\kernel32.dll",
+ "imgsize": 1114112
+ },
+ {
+ "baseaddr": "0x75c10000",
+ "basename": "KERNELBASE.dll",
+ "filepath": "C:\\Windows\\syswow64\\KERNELBASE.dll",
+ "imgsize": 290816
+ },
+ {
+ "baseaddr": "0x75b60000",
+ "basename": "msvcrt.dll",
+ "filepath": "C:\\Windows\\syswow64\\msvcrt.dll",
+ "imgsize": 704512
+ },
+ {
+ "baseaddr": "0x742f0000",
+ "basename": "monitor-x86.dll",
+ "filepath": "C:\\tmpcaygsr\\bin\\monitor-x86.dll",
+ "imgsize": 2117632
+ }
+ ],
+ "pid": 2976,
+ "ppid": 3028,
+ "process_name": "Win32.DarkTequila.exe",
+ "process_path": "C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe",
+ "tid": 2868,
+ "time": 0,
+ "track": true,
+ "type": "process"
+ },
+ {
+ "calls": [
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x000007fef4e70000",
+ "module_name": "api-ms-win-core-synch-l1-2-0.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x0000000077814320",
+ "function_name": "InitializeConditionVariable",
+ "module": "api-ms-win-core-synch-l1-2-0",
+ "module_address": "0x000007fef4e70000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000000007760b6d0",
+ "function_name": "SleepConditionVariableCS",
+ "module": "api-ms-win-core-synch-l1-2-0",
+ "module_address": "0x000007fef4e70000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x00000000777feea0",
+ "function_name": "WakeAllConditionVariable",
+ "module": "api-ms-win-core-synch-l1-2-0",
+ "module_address": "0x000007fef4e70000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "SetUnhandledExceptionFilter",
+ "arguments": {},
+ "category": "exception",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741515,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "GetSystemInfo",
+ "arguments": { "processor_count": 2 },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 12288,
+ "base_address": "0x0000000000e50000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 1048576,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT|MEM_RESERVE",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x0000000000e50000",
+ "free_type": 32768,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "size": 1048576
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 12288,
+ "base_address": "0x0000000000e50000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 2093056,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT|MEM_RESERVE",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x0000000000e50000",
+ "free_type": 32768,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "size": 2093056
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 12288,
+ "base_address": "0x0000000000f00000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 1048576,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT|MEM_RESERVE",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x0000000000f01000",
+ "free_type": 16384,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "size": 1044480
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 12288,
+ "base_address": "0x0000000001000000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 1048576,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT|MEM_RESERVE",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x0000000001002000",
+ "free_type": 16384,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "size": 1040384
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0000000001002000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0000000001003000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0000000001004000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 8192,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0000000001006000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 57344,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0000000001014000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtOpenProcess",
+ "arguments": {
+ "desired_access": "0x00001000",
+ "process_handle": "0x0000000000000050",
+ "process_identifier": 2976
+ },
+ "category": "process",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.38402
+ },
+ {
+ "api": "NtOpenFile",
+ "arguments": {
+ "desired_access": "0x00100080",
+ "file_handle": "0x0000000000000054",
+ "filepath": "C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe",
+ "filepath_r": "\\Device\\HarddiskVolume2\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe",
+ "open_options": 16416,
+ "share_access": 7,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "desired_access": "FILE_READ_ATTRIBUTES",
+ "open_options": "FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.40002
+ },
+ {
+ "api": "GetFileInformationByHandle",
+ "arguments": { "file_handle": "0x0000000000000054" },
+ "category": "file",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.40002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000054" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.40002
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 16416,
+ "desired_access": "0x00100080",
+ "file_attributes": 0,
+ "file_handle": "0x0000000000000054",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
+ "filepath_r": "\\??\\C:\\Program Files\\Mozilla Firefox\\firefox.exe",
+ "share_access": 7,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.40002
+ },
+ {
+ "api": "GetFileInformationByHandle",
+ "arguments": { "file_handle": "0x0000000000000054" },
+ "category": "file",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.40002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000054" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.40002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000050" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.40002
+ },
+ {
+ "api": "RegCreateKeyExW",
+ "arguments": {
+ "access": "0x000f003f",
+ "base_handle": "0xffffffff80000001",
+ "class": "",
+ "disposition": 2,
+ "key_handle": "0x0000000000000054",
+ "options": 0,
+ "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Mozilla\\Firefox\\Launcher",
+ "regkey_r": "SOFTWARE\\Mozilla\\Firefox\\Launcher"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.40002
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x0000000000000054",
+ "reg_type": 4,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Image",
+ "regkey_r": "C:\\Program Files\\Mozilla Firefox\\firefox.exe|Image",
+ "value": 1579293992
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_DWORD" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.40002
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x0000000000000054",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Launcher",
+ "regkey_r": "C:\\Program Files\\Mozilla Firefox\\firefox.exe|Launcher",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.40002
+ },
+ {
+ "api": "RegQueryValueExW",
+ "arguments": {
+ "key_handle": "0x0000000000000054",
+ "reg_type": 0,
+ "regkey": "HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Browser",
+ "regkey_r": "C:\\Program Files\\Mozilla Firefox\\firefox.exe|Browser",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": { "reg_type": "REG_NONE" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": 2,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.40002
+ },
+ {
+ "api": "NtOpenProcess",
+ "arguments": {
+ "desired_access": "0x00001000",
+ "process_handle": "0x0000000000000058",
+ "process_identifier": 2976
+ },
+ "category": "process",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.41502
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000058" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.41502
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0000000001015000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 65536,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.41502
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000058" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.41502
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.41502
+ },
+ {
+ "api": "NtQuerySystemInformation",
+ "arguments": { "information_class": 0 },
+ "category": "system",
+ "flags": { "information_class": "SystemBasicInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.43102
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x000000007790e000",
+ "heap_dep_bypass": 0,
+ "length": 4096,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 2,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_READONLY" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.43102
+ },
+ {
+ "api": "GetSystemDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows\\system32" },
+ "category": "file",
+ "flags": {},
+ "return_value": 19,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.43102
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x0000000000000000",
+ "module_name": "C:\\Windows\\system32\\IMM32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741823,
+ "return_value": -1073741515,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.43102
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x0000000000000000",
+ "module_name": "C:\\Windows\\system32\\IMM32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1073741823,
+ "return_value": -1073741515,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.43102
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "IMM32",
+ "flags": 0,
+ "module_address": "0x000007feff1f0000",
+ "module_name": "C:\\Windows\\system32\\IMM32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "GetSystemDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows\\system32" },
+ "category": "file",
+ "flags": {},
+ "return_value": 19,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x000007feff1f0000",
+ "module_name": "C:\\Windows\\system32\\IMM32.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000000",
+ "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Error Message Instrument\\"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 126,
+ "nt_status": -1073741515,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000000000000005c",
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000005c",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 126,
+ "nt_status": -1073741515,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000000000005c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x000007feff340000",
+ "module_name": "LPK.DLL",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff346ab0",
+ "function_name": "LpkTabbedTextOut",
+ "module": "LPK",
+ "module_address": "0x000007feff340000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff345300",
+ "function_name": "LpkPSMTextOut",
+ "module": "LPK",
+ "module_address": "0x000007feff340000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff341460",
+ "function_name": "LpkDrawTextEx",
+ "module": "LPK",
+ "module_address": "0x000007feff340000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff34a050",
+ "function_name": "LpkEditControl",
+ "module": "LPK",
+ "module_address": "0x000007feff340000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000070" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000000000006c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000000000000006c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000006c",
+ "key_name": "",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\Windows\\LoadAppInit_DLLs",
+ "value": 0
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_DWORD"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000006c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "gdi32",
+ "flags": 0,
+ "module_address": "0x000007fefdf40000",
+ "module_name": "gdi32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007fefdf458f0",
+ "function_name": "GetCharABCWidthsI",
+ "module": "GDI32",
+ "module_address": "0x000007fefdf40000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000000000000006c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000006c",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 5,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000006c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000000000000006c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000006c",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 5,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000006c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "GetSystemInfo",
+ "arguments": { "processor_count": 2 },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x000007feff660000",
+ "module_name": "rpcrt4.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff6ae660",
+ "function_name": "I_RpcInitNdrImports",
+ "module": "RPCRT4",
+ "module_address": "0x000007feff660000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 0,
+ "nt_status": -1073741772,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "NtOpenDirectoryObject",
+ "arguments": {
+ "desired_access": "0x0000000f",
+ "directory_handle": "0x0000000000000088",
+ "dirpath": "\\Sessions\\1\\BaseNamedObjects",
+ "dirpath_r": "\\Sessions\\1\\BaseNamedObjects"
+ },
+ "category": "file",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "ole32",
+ "flags": 0,
+ "module_address": "0x000007fefd890000",
+ "module_name": "ole32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007fefd8b0870",
+ "function_name": "CoInitializeEx",
+ "module": "ole32",
+ "module_address": "0x000007fefd890000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.44702
+ },
+ {
+ "api": "CoInitializeEx",
+ "arguments": { "options": 2 },
+ "category": "ole",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.46202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.46202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000000000ac",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.46202
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000000000000ac",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
+ "value": "ntmarta.dll"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.46202
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000000000000ac",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
+ "value": "ntmarta.dll"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.46202
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.46202
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.46202
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.46202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.46202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000000000b8",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000000000000b8",
+ "key_name": "",
+ "reg_type": 4,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
+ "value": 1
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_DWORD"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000000000000b8" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000000000b8",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000000000000b8",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000000000000b8" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000000000b8",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000000000000b8",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000000000000b8" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x00000000000000b8",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x00000000000000b8",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\IPv4LoopbackAlternative",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000000000000b8" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "ntmarta",
+ "flags": 0,
+ "module_address": "0x000007fefc6c0000",
+ "module_name": "ntmarta.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007fefc6c1654",
+ "function_name": "GetMartaExtensionInterface",
+ "module": "ntmarta",
+ "module_address": "0x000007fefc6c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x00000000000000ac" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007fefd8a74a8",
+ "function_name": "CoInitializeSecurity",
+ "module": "ole32",
+ "module_address": "0x000007fefd890000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.47802
+ },
+ {
+ "api": "CoInitializeSecurity",
+ "arguments": {},
+ "category": "ole",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000000000000a8" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007fefd8b4650",
+ "function_name": "CoCreateInstance",
+ "module": "ole32",
+ "module_address": "0x000007fefd890000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "CoCreateInstance",
+ "arguments": {
+ "class_context": 1,
+ "clsid": "{0000034b-0000-0000-c000-000000000046}",
+ "iid": "{0000015b-0000-0000-c000-000000000046}"
+ },
+ "category": "ole",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "GetSystemDirectoryW",
+ "arguments": { "dirpath": "C:\\Windows\\system32" },
+ "category": "file",
+ "flags": {},
+ "return_value": 19,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 0,
+ "nt_status": -1073741700,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 203,
+ "nt_status": -1073741568,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "OLEAUT32",
+ "flags": 0,
+ "module_address": "0x000007feff790000",
+ "module_name": "OLEAUT32.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff7b2880",
+ "function_name": "",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 327
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff793280",
+ "function_name": "",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 2
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff791240",
+ "function_name": "",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 8
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.49402
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x00000000775e1eb0",
+ "function_name": "FlsGetValue",
+ "module": "kernel32",
+ "module_address": "0x00000000775c0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 684,
+ "time": 1606943220.54002
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0000000000c03000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 684,
+ "time": 1606943220.61902
+ },
+ {
+ "api": "NtDuplicateObject",
+ "arguments": {
+ "desired_access": "0x00000000",
+ "handle_attributes": 0,
+ "options": 2,
+ "source_handle": "0xfffffffffffffffe",
+ "source_process_handle": "0xffffffffffffffff",
+ "source_process_identifier": 1952,
+ "target_handle": "0x0000000000000148",
+ "target_process_handle": "0xffffffffffffffff",
+ "target_process_identifier": 1952
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 684,
+ "time": 1606943220.61902
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0000000000c04000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 8192,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 684,
+ "time": 1606943220.61902
+ },
+ {
+ "api": "NtDuplicateObject",
+ "arguments": {
+ "desired_access": "0x00000000",
+ "handle_attributes": 0,
+ "options": 2,
+ "source_handle": "0xfffffffffffffffe",
+ "source_process_handle": "0xffffffffffffffff",
+ "source_process_identifier": 1952,
+ "target_handle": "0x0000000000000150",
+ "target_process_handle": "0xffffffffffffffff",
+ "target_process_identifier": 1952
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2108,
+ "time": 1606943220.61902
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0000000000c06000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 8192,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2108,
+ "time": 1606943220.61902
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0000000000c08000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 32768,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2264,
+ "time": 1606943220.61902
+ },
+ {
+ "api": "CoCreateInstance",
+ "arguments": {
+ "class_context": 5,
+ "clsid": "{9ba05972-f6a8-11cf-a442-00a0c90a8f39}",
+ "iid": "{85cb6900-4d95-11cf-960c-0080c7f4ee85}"
+ },
+ "category": "ole",
+ "flags": { "clsid": "ShellWindows", "iid": "IID_IShellWindows" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "OLEAUT32",
+ "flags": 0,
+ "module_address": "0x000007feff790000",
+ "module_name": "OLEAUT32",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff7962e0",
+ "function_name": "BSTR_UserSize",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff796310",
+ "function_name": "BSTR_UserMarshal",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff796690",
+ "function_name": "BSTR_UserUnmarshal",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff796650",
+ "function_name": "BSTR_UserFree",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff798810",
+ "function_name": "VARIANT_UserSize",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff7986c0",
+ "function_name": "VARIANT_UserMarshal",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff798300",
+ "function_name": "VARIANT_UserUnmarshal",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff798120",
+ "function_name": "VARIANT_UserFree",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff7e1a20",
+ "function_name": "LPSAFEARRAY_UserSize",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff7e1a10",
+ "function_name": "LPSAFEARRAY_UserMarshal",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff7f8b60",
+ "function_name": "LPSAFEARRAY_UserUnmarshal",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff8012a0",
+ "function_name": "LPSAFEARRAY_UserFree",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000184",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000178" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000184",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000178",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000184" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000178",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000184",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}\\ProxyStubClsid32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000184",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}\\ProxyStubClsid32\\(Default)",
+ "value": "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000184" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000178" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000124",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000178",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000178",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\TreatAs"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 14007,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "<INVALID POINTER>",
+ "information_class": 3,
+ "key_handle": "0x0000000000000178",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "last_error": 14007,
+ "nt_status": -1073741772,
+ "return_value": -1073741789,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u009e\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u0000A\u00004\u0000A\u00001\u0000A\u00001\u00002\u00008\u0000-\u00007\u00006\u00008\u0000F\u0000-\u00004\u00001\u0000E\u00000\u0000-\u0000B\u0000F\u00007\u00005\u0000-\u0000E\u00004\u0000F\u0000D\u0000D\u0000D\u00007\u00000\u00001\u0000C\u0000B\u0000A\u0000}\u0000",
+ "information_class": 3,
+ "key_handle": "0x0000000000000178",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000178",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.82202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\Progid"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 14007,
+ "nt_status": -1073741772,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000124",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "D\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000",
+ "information_class": 3,
+ "key_handle": "0x0000000000000124",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020219",
+ "key_handle": "0x0000000000000184",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0006\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000184",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\Progid"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 14007,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000184" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000178",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\(Default)",
+ "value": "PSFactoryBuffer"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000178",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\(Default)",
+ "value": "PSFactoryBuffer"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000178",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000184",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InprocServer32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000184",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\InprocServer32",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000184",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\(Default)",
+ "value": "C:\\Program Files\\Internet Explorer\\ieproxy.dll"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000184",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\(Default)",
+ "value": "C:\\Program Files\\Internet Explorer\\ieproxy.dll"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000184",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\ThreadingModel",
+ "value": "Both"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000184" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000178",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InprocHandler32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000178",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InprocHandler"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000178" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000184",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.83702
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000178" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.85302
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000184",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.85302
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000178",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.85302
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000184" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.85302
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000178",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.85302
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\TreatAs"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.85302
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000178" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.85302
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "ieproxy",
+ "flags": 0,
+ "module_address": "0x000007fef3380000",
+ "module_name": "C:\\Program Files\\Internet Explorer\\ieproxy.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007fef3381530",
+ "function_name": "DllGetClassObject",
+ "module": "ieproxy",
+ "module_address": "0x000007fef3380000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007fef3381010",
+ "function_name": "DllCanUnloadNow",
+ "module": "ieproxy",
+ "module_address": "0x000007fef3380000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "GetSystemInfo",
+ "arguments": { "processor_count": 2 },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0000000000c2f000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 4,
+ "region_size": 28672,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0000000000d90000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 64,
+ "region_size": 65536,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_EXECUTE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x0000000000d90000",
+ "heap_dep_bypass": 1,
+ "length": 65536,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 32,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_EXECUTE_READ" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000180" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000000000016c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000180",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}\\ProxyStubClsid32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000016c",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
+ "value": "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000180" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000124",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000180",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\TreatAs"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 14007,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "<INVALID POINTER>",
+ "information_class": 3,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "last_error": 14007,
+ "nt_status": -1073741772,
+ "return_value": -1073741789,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u009e\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000\\\u0000C\u0000L\u0000S\u0000I\u0000D\u0000\\\u0000{\u0000C\u00009\u00000\u00002\u00005\u00000\u0000F\u00003\u0000-\u00004\u0000D\u00007\u0000D\u0000-\u00004\u00009\u00009\u00001\u0000-\u00009\u0000B\u00006\u00009\u0000-\u0000A\u00005\u0000C\u00005\u0000B\u0000C\u00001\u0000C\u00002\u0000A\u0000E\u00006\u0000}\u0000",
+ "information_class": 3,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\Progid"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 14007,
+ "nt_status": -1073741772,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000124",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "D\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000",
+ "information_class": 3,
+ "key_handle": "0x0000000000000124",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020219",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0001\u0006\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000000000016c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\Progid"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 14007,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000180",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\(Default)",
+ "value": "PSFactoryBuffer"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000180",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\(Default)",
+ "value": "PSFactoryBuffer"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InprocServer32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000016c",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\InprocServer32",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000016c",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\(Default)",
+ "value": "C:\\Windows\\system32\\actxprxy.dll"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000016c",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\(Default)",
+ "value": "C:\\Windows\\system32\\actxprxy.dll"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000016c",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\ThreadingModel",
+ "value": "Both"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.88402
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InprocHandler32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InprocHandler"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "last_error": 1008,
+ "nt_status": -1073741772,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000180" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000180" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000000000016c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000180",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\TreatAs"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "last_error": 1008,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000180" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "GetSystemTimeAsFileTime",
+ "arguments": {},
+ "category": "synchronisation",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "actxprxy",
+ "flags": 0,
+ "module_address": "0x000007fef9920000",
+ "module_name": "C:\\Windows\\system32\\actxprxy.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007fef9921030",
+ "function_name": "DllGetClassObject",
+ "module": "actxprxy",
+ "module_address": "0x000007fef9920000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.90002
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007fef9921010",
+ "function_name": "DllCanUnloadNow",
+ "module": "actxprxy",
+ "module_address": "0x000007fef9920000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000180" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000000000016c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000180",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}\\ProxyStubClsid32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000016c",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
+ "value": "{00000320-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000180" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "CoGetClassObject",
+ "arguments": {
+ "class_context": -2147483647,
+ "clsid": "{00000320-0000-0000-c000-000000000046}",
+ "iid": "{d5f569d0-593b-101a-b569-08002b2dbf7a}"
+ },
+ "category": "ole",
+ "flags": { "iid": "IID_IPSFactoryBuffer" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000180" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000000000016c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000180",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}\\ProxyStubClsid32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000016c",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
+ "value": "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000180" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "CoGetClassObject",
+ "arguments": {
+ "class_context": -2147483647,
+ "clsid": "{00000320-0000-0000-c000-000000000046}",
+ "iid": "{d5f569d0-593b-101a-b569-08002b2dbf7a}"
+ },
+ "category": "ole",
+ "flags": { "iid": "IID_IPSFactoryBuffer" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.91502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000180" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000000000016c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000180",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000016c",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32\\(Default)",
+ "value": "{00020424-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000180" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000180" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000000000016c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000180",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000180",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32\\(Default)",
+ "value": "{00020424-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000180" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000180" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000000000016c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\Forward"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 14007,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000000000016c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "D\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000",
+ "information_class": 3,
+ "key_handle": "0x000000000000016c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000200",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\Forward"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 14007,
+ "nt_status": -1073741772,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000180",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000000000016c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000180" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000016c",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\(Default)",
+ "value": "{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000016c",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\Version",
+ "value": "1.0"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000180",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000000000016c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.93102
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000180" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 0,
+ "key_handle": "0x000000000000016c",
+ "key_name": "1.0",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 1,
+ "key_handle": "0x000000000000016c",
+ "key_name": "1.0",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"
+ },
+ "category": "registry",
+ "flags": {},
+ "last_error": 14007,
+ "nt_status": -2147483622,
+ "return_value": 259,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000000000016c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000180",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 0,
+ "key_handle": "0x0000000000000180",
+ "key_name": "0",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000168",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000168",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000170",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000170",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64\\(Default)",
+ "value": "C:\\Windows\\system32\\shell32.dll"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 2144,
+ "desired_access": "0x80100080",
+ "file_attributes": 0,
+ "file_handle": "0x0000000000000174",
+ "filepath": "C:\\Windows\\System32\\shell32.dll",
+ "filepath_r": "\\??\\C:\\Windows\\system32\\shell32.dll",
+ "share_access": 5,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_DELETE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f8\u0000\u0000\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 64,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 248
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 248,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "PE\u0000\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 4,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "d\u0086\u0006\u0000j\u0013\u0093Y\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\" ",
+ "file_handle": "0x0000000000000174",
+ "length": 20,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 1,
+ "offset": 240
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 512,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": ".text\u0000\u0000\u0000t\u00ebB\u0000\u0000\u0010\u0000\u0000\u0000\u00ecB\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`",
+ "file_handle": "0x0000000000000174",
+ "length": 40,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": ".rdata\u0000\u0000\u00cc\u001d\u000b\u0000\u0000\u0000C\u0000\u0000\u001e\u000b\u0000\u0000\u00f0B\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@",
+ "file_handle": "0x0000000000000174",
+ "length": 40,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": ".data\u0000\u0000\u0000\u0000\u0095\u0000\u0000\u0000 N\u0000\u0000|\u0000\u0000\u0000\u000eN\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0",
+ "file_handle": "0x0000000000000174",
+ "length": 40,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": ".pdata\u0000\u0000\u009c\u009e\u0004\u0000\u0000\u00c0N\u0000\u0000\u00a0\u0004\u0000\u0000\u008aN\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@",
+ "file_handle": "0x0000000000000174",
+ "length": 40,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": ".rsrc\u0000\u0000\u0000\u00e0M\u0084\u0000\u0000`S\u0000\u0000N\u0084\u0000\u0000*S\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@",
+ "file_handle": "0x0000000000000174",
+ "length": 40,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5450240
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450240,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\t\u0000\u0007\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "N\n\u0002\u0080\u0090\u0000\u0000\u0080",
+ "file_handle": "0x0000000000000174",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.94702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450264,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5583950
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5583950,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0003\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5450264
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450264,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "|\n\u0002\u0080\b\u0001\u0000\u0080",
+ "file_handle": "0x0000000000000174",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450272,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5583996
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5583996,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0003\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5450272
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450272,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "l\n\u0002\u0080H\u0001\u0000\u0080",
+ "file_handle": "0x0000000000000174",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450280,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5583980
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5583980,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0007\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "L\u0000I\u0000B\u0000R\u0000A\u0000R\u0000Y\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 14,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5450280
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450280,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u00ac\n\u0002\u0080\u0080\u0001\u0000\u0080",
+ "file_handle": "0x0000000000000174",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450288,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5584044
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5584044,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0003\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5450288
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450288,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0084\n\u0002\u0080\u0098\u0001\u0000\u0080",
+ "file_handle": "0x0000000000000174",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450296,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5584004
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5584004,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u000b\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5450296
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450296,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u009c\n\u0002\u0080\u00b8\u0001\u0000\u0080",
+ "file_handle": "0x0000000000000174",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450304,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5584028
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5584028,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0007\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "T\u0000Y\u0000P\u0000E\u0000L\u0000I\u0000B\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 14,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5450304
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450304,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 712
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5450680
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450680,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450696,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0001\u0000\u0000\u0000\u00d8Z\u0000\u0080",
+ "file_handle": "0x0000000000000174",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 712
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.96202
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5473496
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5473496,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\t\u0004\u0000\u0000@^\u0001\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 712
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "move_method": 0,
+ "offset": 5539904
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5539904,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": " 2\u00d7\u0000Hz\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
+ "file_handle": "0x0000000000000174",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "GetFileSize",
+ "arguments": {
+ "file_handle": "0x0000000000000174",
+ "file_size_low": 14182400
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 14182400,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtCreateSection",
+ "arguments": {
+ "desired_access": "0x000f0005",
+ "file_handle": "0x0000000000000174",
+ "object_handle": "0x0000000000000000",
+ "protection": 2,
+ "section_handle": "0x0000000000000188",
+ "section_name": ""
+ },
+ "category": "process",
+ "flags": {
+ "desired_access": "STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtMapViewOfSection",
+ "arguments": {
+ "allocation_type": 0,
+ "base_address": "0x0000000000da0000",
+ "buffer": "",
+ "commit_size": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "section_handle": "0x0000000000000188",
+ "section_offset": 14024704,
+ "view_size": 98304,
+ "win32_protect": 2
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "",
+ "win32_protect": "PAGE_READONLY"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000170" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000168" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000180" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000180",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000000000016c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000016c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000180" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000000000016c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000180",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000180",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000168",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000168",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000170",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000170",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000018c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000018c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000170" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000168",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000170",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000170",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.97802
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x000000000000018c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000018c",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)",
+ "value": "C:\\Windows\\system32\\stdole2.tlb"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000000000018c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 2144,
+ "desired_access": "0x80100080",
+ "file_attributes": 0,
+ "file_handle": "0x000000000000018c",
+ "filepath": "C:\\Windows\\System32\\stdole2.tlb",
+ "filepath_r": "\\??\\C:\\Windows\\system32\\stdole2.tlb",
+ "share_access": 5,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_DELETE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b8\u0000\u0000\u0000",
+ "file_handle": "0x000000000000018c",
+ "length": 64,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 0,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 0,
+ "offset": 184
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 184,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "PE\u0000\u0000",
+ "file_handle": "0x000000000000018c",
+ "length": 4,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "d\u0086\u0001\u0000S\u00ca[J\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\" ",
+ "file_handle": "0x000000000000018c",
+ "length": 20,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 1,
+ "offset": 240
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 448,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": ".rsrc\u0000\u0000\u0000\u00a0?\u0000\u0000\u0000\u0010\u0000\u0000\u0000@\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@",
+ "file_handle": "0x000000000000018c",
+ "length": 40,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 488,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 0,
+ "offset": 512
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 512,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\u0000",
+ "file_handle": "0x000000000000018c",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u00f8\u0000\u0000\u0080(\u0000\u0000\u0080",
+ "file_handle": "0x000000000000018c",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 536,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 0,
+ "offset": 760
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 760,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0003\u0000",
+ "file_handle": "0x000000000000018c",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 0,
+ "offset": 536
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 536,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u00e8\u0000\u0000\u0080@\u0000\u0000\u0080",
+ "file_handle": "0x000000000000018c",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 544,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 0,
+ "offset": 744
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 744,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.99402
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0007\u0000",
+ "file_handle": "0x000000000000018c",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "T\u0000Y\u0000P\u0000E\u0000L\u0000I\u0000B\u0000",
+ "file_handle": "0x000000000000018c",
+ "length": 14,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 0,
+ "offset": 544
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 544,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 0,
+ "offset": 488
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 488,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 488,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 0,
+ "offset": 576
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 576,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000",
+ "file_handle": "0x000000000000018c",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 592,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0001\u0000\u0000\u0000\u0088\u0000\u0000\u0080",
+ "file_handle": "0x000000000000018c",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 0,
+ "offset": 488
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 488,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 488,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 0,
+ "offset": 648
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 648,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000",
+ "file_handle": "0x000000000000018c",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\t\u0004\u0000\u0000\u00c8\u0000\u0000\u0000",
+ "file_handle": "0x000000000000018c",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 0,
+ "offset": 488
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 488,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "move_method": 0,
+ "offset": 712
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0011\u0000\u0000@:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
+ "file_handle": "0x000000000000018c",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "GetFileSize",
+ "arguments": {
+ "file_handle": "0x000000000000018c",
+ "file_size_low": 16896
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 16896,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtCreateSection",
+ "arguments": {
+ "desired_access": "0x000f0005",
+ "file_handle": "0x000000000000018c",
+ "object_handle": "0x0000000000000000",
+ "protection": 2,
+ "section_handle": "0x0000000000000190",
+ "section_name": ""
+ },
+ "category": "process",
+ "flags": {
+ "desired_access": "STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtMapViewOfSection",
+ "arguments": {
+ "allocation_type": 0,
+ "base_address": "0x0000000000dc0000",
+ "buffer": "",
+ "commit_size": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "section_handle": "0x0000000000000190",
+ "section_offset": 0,
+ "view_size": 16384,
+ "win32_protect": 2
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "",
+ "win32_protect": "PAGE_READONLY"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000170" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000168" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000180" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000016c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "CoGetClassObject",
+ "arguments": {
+ "class_context": -2147483647,
+ "clsid": "{00020420-0000-0000-c000-000000000046}",
+ "iid": "{d5f569d0-593b-101a-b569-08002b2dbf7a}"
+ },
+ "category": "ole",
+ "flags": { "clsid": "PSDispatch", "iid": "IID_IPSFactoryBuffer" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000000000018c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x0000000000dc0000",
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "region_size": 16384
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000190" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000174" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x0000000000da0000",
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "region_size": 98304
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000188" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.00902
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000174",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000188" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000174",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000188",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000174" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000188",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x0000000000000174",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000174",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32\\(Default)",
+ "value": "{00020424-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000174" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000188" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000174",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000188" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000174",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000188",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000174" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000188",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32\\(Default)",
+ "value": "{00020424-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000188" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000174",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000188" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000174",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\Forward"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 14007,
+ "nt_status": 0,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000174",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "D\u0000\u0000\u0000\\\u0000R\u0000E\u0000G\u0000I\u0000S\u0000T\u0000R\u0000Y\u0000\\\u0000M\u0000A\u0000C\u0000H\u0000I\u0000N\u0000E\u0000\\\u0000S\u0000O\u0000F\u0000T\u0000W\u0000A\u0000R\u0000E\u0000\\\u0000C\u0000l\u0000a\u0000s\u0000s\u0000e\u0000s\u0000",
+ "information_class": 3,
+ "key_handle": "0x0000000000000174",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyNameInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000200",
+ "key_handle": "0x0000000000000000",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\Forward"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "last_error": 14007,
+ "nt_status": -1073741772,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000174" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000188",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000174" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000188",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000174",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000188" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000174",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\(Default)",
+ "value": "{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000174",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\Version",
+ "value": "1.0"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.02502
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000174" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000188",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000174" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000188",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000174",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000188" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 0,
+ "key_handle": "0x0000000000000174",
+ "key_name": "1.0",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 1,
+ "key_handle": "0x0000000000000174",
+ "key_name": "1.0",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"
+ },
+ "category": "registry",
+ "flags": {},
+ "last_error": 14007,
+ "nt_status": -2147483622,
+ "return_value": 259,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000174",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000188",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "RegEnumKeyW",
+ "arguments": {
+ "index": 0,
+ "key_handle": "0x0000000000000188",
+ "key_name": "0",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"
+ },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000188",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000190",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000190",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000018c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000018c",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64\\(Default)",
+ "value": "C:\\Windows\\system32\\shell32.dll"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 2144,
+ "desired_access": "0x80100080",
+ "file_attributes": 0,
+ "file_handle": "0x000000000000016c",
+ "filepath": "C:\\Windows\\System32\\shell32.dll",
+ "filepath_r": "\\??\\C:\\Windows\\system32\\shell32.dll",
+ "share_access": 5,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_DELETE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f8\u0000\u0000\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 64,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 248
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 248,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "PE\u0000\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 4,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "d\u0086\u0006\u0000j\u0013\u0093Y\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\" ",
+ "file_handle": "0x000000000000016c",
+ "length": 20,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 1,
+ "offset": 240
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 512,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": ".text\u0000\u0000\u0000t\u00ebB\u0000\u0000\u0010\u0000\u0000\u0000\u00ecB\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`",
+ "file_handle": "0x000000000000016c",
+ "length": 40,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": ".rdata\u0000\u0000\u00cc\u001d\u000b\u0000\u0000\u0000C\u0000\u0000\u001e\u000b\u0000\u0000\u00f0B\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@",
+ "file_handle": "0x000000000000016c",
+ "length": 40,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": ".data\u0000\u0000\u0000\u0000\u0095\u0000\u0000\u0000 N\u0000\u0000|\u0000\u0000\u0000\u000eN\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0",
+ "file_handle": "0x000000000000016c",
+ "length": 40,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": ".pdata\u0000\u0000\u009c\u009e\u0004\u0000\u0000\u00c0N\u0000\u0000\u00a0\u0004\u0000\u0000\u008aN\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@",
+ "file_handle": "0x000000000000016c",
+ "length": 40,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": ".rsrc\u0000\u0000\u0000\u00e0M\u0084\u0000\u0000`S\u0000\u0000N\u0084\u0000\u0000*S\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@",
+ "file_handle": "0x000000000000016c",
+ "length": 40,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5450240
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450240,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\t\u0000\u0007\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "N\n\u0002\u0080\u0090\u0000\u0000\u0080",
+ "file_handle": "0x000000000000016c",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450264,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.04002
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5583950
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5583950,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0003\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5450264
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450264,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "|\n\u0002\u0080\b\u0001\u0000\u0080",
+ "file_handle": "0x000000000000016c",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450272,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5583996
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5583996,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0003\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5450272
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450272,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "l\n\u0002\u0080H\u0001\u0000\u0080",
+ "file_handle": "0x000000000000016c",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450280,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5583980
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5583980,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0007\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "L\u0000I\u0000B\u0000R\u0000A\u0000R\u0000Y\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 14,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5450280
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450280,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u00ac\n\u0002\u0080\u0080\u0001\u0000\u0080",
+ "file_handle": "0x000000000000016c",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450288,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5584044
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5584044,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0003\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5450288
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450288,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0084\n\u0002\u0080\u0098\u0001\u0000\u0080",
+ "file_handle": "0x000000000000016c",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450296,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5584004
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5584004,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u000b\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5450296
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450296,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u009c\n\u0002\u0080\u00b8\u0001\u0000\u0080",
+ "file_handle": "0x000000000000016c",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450304,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5584028
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5584028,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0007\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "T\u0000Y\u0000P\u0000E\u0000L\u0000I\u0000B\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 14,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5450304
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450304,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 712
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5450680
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450680,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5450696,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0001\u0000\u0000\u0000\u00d8Z\u0000\u0080",
+ "file_handle": "0x000000000000016c",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 712
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5473496
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5473496,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\t\u0004\u0000\u0000@^\u0001\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 712
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "move_method": 0,
+ "offset": 5539904
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 5539904,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": " 2\u00d7\u0000Hz\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
+ "file_handle": "0x000000000000016c",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "GetFileSize",
+ "arguments": {
+ "file_handle": "0x000000000000016c",
+ "file_size_low": 14182400
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 14182400,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtCreateSection",
+ "arguments": {
+ "desired_access": "0x000f0005",
+ "file_handle": "0x000000000000016c",
+ "object_handle": "0x0000000000000000",
+ "protection": 2,
+ "section_handle": "0x0000000000000180",
+ "section_name": ""
+ },
+ "category": "process",
+ "flags": {
+ "desired_access": "STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "NtMapViewOfSection",
+ "arguments": {
+ "allocation_type": 0,
+ "base_address": "0x0000000000da0000",
+ "buffer": "",
+ "commit_size": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "section_handle": "0x0000000000000180",
+ "section_offset": 14024704,
+ "view_size": 98304,
+ "win32_protect": 2
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "",
+ "win32_protect": "PAGE_READONLY"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000018c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.05602
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000190" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000188" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000174" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000024",
+ "regkey": "HKEY_LOCAL_MACHINE"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000188",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Classes"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000174" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000188",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000174",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000188" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000174",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000188",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000188",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000190",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000190",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000018c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000000000018c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x0000000000000168",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000168" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000018c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x0000000000000190",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x02000000",
+ "key_handle": "0x000000000000018c",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "MAXIMUM_ALLOWED" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtQueryKey",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000",
+ "information_class": 7,
+ "key_handle": "0x000000000000018c",
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0"
+ },
+ "category": "registry",
+ "flags": { "information_class": "KeyHandleTagsInformation" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtOpenKeyEx",
+ "arguments": {
+ "desired_access": "0x00000001",
+ "key_handle": "0x0000000000000168",
+ "options": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x0000000000000168",
+ "key_name": "",
+ "reg_type": 1,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)",
+ "value": "C:\\Windows\\system32\\stdole2.tlb"
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_SZ"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000168" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.07202
+ },
+ {
+ "api": "NtCreateFile",
+ "arguments": {
+ "create_disposition": 1,
+ "create_options": 2144,
+ "desired_access": "0x80100080",
+ "file_attributes": 0,
+ "file_handle": "0x0000000000000168",
+ "filepath": "C:\\Windows\\System32\\stdole2.tlb",
+ "filepath_r": "\\??\\C:\\Windows\\system32\\stdole2.tlb",
+ "share_access": 5,
+ "status_info": 1
+ },
+ "category": "file",
+ "flags": {
+ "create_disposition": "FILE_OPEN",
+ "create_options": "FILE_NON_DIRECTORY_FILE|FILE_RANDOM_ACCESS|FILE_SYNCHRONOUS_IO_NONALERT",
+ "desired_access": "FILE_READ_ATTRIBUTES|SYNCHRONIZE",
+ "file_attributes": "",
+ "share_access": "FILE_SHARE_READ|FILE_SHARE_DELETE",
+ "status_info": "FILE_OPENED"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00b8\u0000\u0000\u0000",
+ "file_handle": "0x0000000000000168",
+ "length": 64,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 0,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 0,
+ "offset": 184
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 184,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "PE\u0000\u0000",
+ "file_handle": "0x0000000000000168",
+ "length": 4,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "d\u0086\u0001\u0000S\u00ca[J\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\" ",
+ "file_handle": "0x0000000000000168",
+ "length": 20,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 1,
+ "offset": 240
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 448,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": ".rsrc\u0000\u0000\u0000\u00a0?\u0000\u0000\u0000\u0010\u0000\u0000\u0000@\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@",
+ "file_handle": "0x0000000000000168",
+ "length": 40,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 488,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 0,
+ "offset": 512
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 512,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\u0000",
+ "file_handle": "0x0000000000000168",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u00f8\u0000\u0000\u0080(\u0000\u0000\u0080",
+ "file_handle": "0x0000000000000168",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 536,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 0,
+ "offset": 760
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 760,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0003\u0000",
+ "file_handle": "0x0000000000000168",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 0,
+ "offset": 536
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 536,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u00e8\u0000\u0000\u0080@\u0000\u0000\u0080",
+ "file_handle": "0x0000000000000168",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 544,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 0,
+ "offset": 744
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 744,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0007\u0000",
+ "file_handle": "0x0000000000000168",
+ "length": 2,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "T\u0000Y\u0000P\u0000E\u0000L\u0000I\u0000B\u0000",
+ "file_handle": "0x0000000000000168",
+ "length": 14,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 0,
+ "offset": 544
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 544,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 0,
+ "offset": 488
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 488,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 488,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.08702
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 0,
+ "offset": 576
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 576,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000",
+ "file_handle": "0x0000000000000168",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 592,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0001\u0000\u0000\u0000\u0088\u0000\u0000\u0080",
+ "file_handle": "0x0000000000000168",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 0,
+ "offset": 488
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 488,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 1,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 488,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 0,
+ "offset": 648
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 648,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000",
+ "file_handle": "0x0000000000000168",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\t\u0004\u0000\u0000\u00c8\u0000\u0000\u0000",
+ "file_handle": "0x0000000000000168",
+ "length": 8,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 0,
+ "offset": 488
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 488,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "SetFilePointer",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "move_method": 0,
+ "offset": 712
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 712,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "NtReadFile",
+ "arguments": {
+ "buffer": "\u0000\u0011\u0000\u0000@:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
+ "file_handle": "0x0000000000000168",
+ "length": 16,
+ "offset": 0
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "GetFileSize",
+ "arguments": {
+ "file_handle": "0x0000000000000168",
+ "file_size_low": 16896
+ },
+ "category": "file",
+ "flags": {},
+ "return_value": 16896,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "NtCreateSection",
+ "arguments": {
+ "desired_access": "0x000f0005",
+ "file_handle": "0x0000000000000168",
+ "object_handle": "0x0000000000000000",
+ "protection": 2,
+ "section_handle": "0x0000000000000170",
+ "section_name": ""
+ },
+ "category": "process",
+ "flags": {
+ "desired_access": "STANDARD_RIGHTS_REQUIRED|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "NtMapViewOfSection",
+ "arguments": {
+ "allocation_type": 0,
+ "base_address": "0x0000000000dc0000",
+ "buffer": "",
+ "commit_size": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "section_handle": "0x0000000000000170",
+ "section_offset": 0,
+ "view_size": 16384,
+ "win32_protect": 2
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "",
+ "win32_protect": "PAGE_READONLY"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x000000000000018c" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000190" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000188" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000174" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "CoGetClassObject",
+ "arguments": {
+ "class_context": -2147483647,
+ "clsid": "{00020420-0000-0000-c000-000000000046}",
+ "iid": "{d5f569d0-593b-101a-b569-08002b2dbf7a}"
+ },
+ "category": "ole",
+ "flags": { "clsid": "PSDispatch", "iid": "IID_IPSFactoryBuffer" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000168" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x0000000000dc0000",
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "region_size": 16384
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000170" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000000000016c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x0000000000da0000",
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "region_size": 98304
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000180" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007fefd9607f0",
+ "function_name": "CoAllowSetForegroundWindow",
+ "module": "ole32",
+ "module_address": "0x000007fefd890000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.10302
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff791180",
+ "function_name": "",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 9
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.11902
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff791180",
+ "function_name": "",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 9
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.11902
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007feff791210",
+ "function_name": "",
+ "module": "OLEAUT32",
+ "module_address": "0x000007feff790000",
+ "ordinal": 6
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.11902
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007fefd8af1d8",
+ "function_name": "CoUninitialize",
+ "module": "ole32",
+ "module_address": "0x000007fefd890000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.11902
+ },
+ {
+ "api": "CoUninitialize",
+ "arguments": {},
+ "category": "ole",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "RegCloseKey",
+ "arguments": { "key_handle": "0x0000000000000054" },
+ "category": "registry",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "LdrLoadDll",
+ "arguments": {
+ "basename": "api-ms-win-appmodel-runtime-l1-1-2",
+ "flags": 0,
+ "module_address": "0x0000000000000000",
+ "module_name": "api-ms-win-appmodel-runtime-l1-1-2",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 0,
+ "nt_status": -1072365560,
+ "return_value": -1073741515,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x0000000000000000",
+ "module_name": "mscoree.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 126,
+ "nt_status": -1073741515,
+ "return_value": -1073741515,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "LdrGetDllHandle",
+ "arguments": {
+ "module_address": "0x0000000000000000",
+ "module_name": "mscoree.dll",
+ "stack_pivoted": 0
+ },
+ "category": "system",
+ "flags": {},
+ "last_error": 126,
+ "nt_status": -1073741515,
+ "return_value": -1073741515,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtTerminateProcess",
+ "arguments": {
+ "process_handle": "0x0000000000000000",
+ "process_identifier": 0,
+ "status_code": "0x00000000"
+ },
+ "category": "process",
+ "flags": {},
+ "last_error": 126,
+ "nt_status": -1073741515,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtTerminateProcess",
+ "arguments": {
+ "process_handle": "0x0000000000000000",
+ "process_identifier": 0,
+ "status_code": "0x00000000"
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000120" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x0000000000a60000",
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "region_size": 28672
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000134" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000130" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x0000000000a70000",
+ "free_type": 16384,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "size": 4096
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtFreeVirtualMemory",
+ "arguments": {
+ "base_address": "0x0000000000a70000",
+ "free_type": 32768,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "size": 65536
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtUnmapViewOfSection",
+ "arguments": {
+ "base_address": "0x0000000000a50000",
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "region_size": 4096
+ },
+ "category": "process",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000128" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000000000000b8" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000000000000bc" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000000000000c0" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000000000000c4" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000000000000c8" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000000000000cc" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000000000000d0" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000000000000d4" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000000000000b0" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000000000009c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000098" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000058" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000000000006c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "LdrGetProcedureAddress",
+ "arguments": {
+ "function_address": "0x000007fefccc4a74",
+ "function_name": "CryptReleaseContext",
+ "module": "CRYPTSP",
+ "module_address": "0x000007fefccc0000",
+ "ordinal": 0
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "LdrUnloadDll",
+ "arguments": {
+ "library": "IMM32",
+ "module_address": "0x000007feff1f0000"
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtOpenKey",
+ "arguments": {
+ "desired_access": "0x00020019",
+ "key_handle": "0x000000000000006c",
+ "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
+ },
+ "category": "registry",
+ "flags": { "desired_access": "READ_CONTROL" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtQueryValueKey",
+ "arguments": {
+ "information_class": 2,
+ "key_handle": "0x000000000000006c",
+ "key_name": "",
+ "reg_type": 0,
+ "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles",
+ "value": ""
+ },
+ "category": "registry",
+ "flags": {
+ "information_class": "KeyValuePartialInformation",
+ "reg_type": "REG_NONE"
+ },
+ "last_error": 0,
+ "nt_status": -1073741515,
+ "return_value": -1073741772,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000000000006c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x000000000000001c" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x0000000000000020" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "LdrUnloadDll",
+ "arguments": {
+ "library": "ntmarta",
+ "module_address": "0x000007fefc6c0000"
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtClose",
+ "arguments": { "handle": "0x00000000000000e4" },
+ "category": "system",
+ "flags": {},
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943221.15002
+ },
+ {
+ "api": "NtTerminateProcess",
+ "arguments": {
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "status_code": "0x00000000"
+ },
+ "category": "process",
+ "flags": {},
+ "last_error": 203,
+ "nt_status": -1073741568,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2524,
+ "time": 1606943221.15002
+ }
+ ],
+ "command_line": "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"",
+ "first_seen": 1606943649.755751,
+ "modules": [
+ {
+ "baseaddr": "0x13ff30000",
+ "basename": "firefox.exe",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
+ "imgsize": 593920
+ },
+ {
+ "baseaddr": "0x777e0000",
+ "basename": "ntdll.dll",
+ "filepath": "C:\\Windows\\SYSTEM32\\ntdll.dll",
+ "imgsize": 1744896
+ },
+ {
+ "baseaddr": "0x775c0000",
+ "basename": "kernel32.dll",
+ "filepath": "C:\\Windows\\system32\\kernel32.dll",
+ "imgsize": 1175552
+ },
+ {
+ "baseaddr": "0x7fefd5b0000",
+ "basename": "KERNELBASE.dll",
+ "filepath": "C:\\Windows\\system32\\KERNELBASE.dll",
+ "imgsize": 434176
+ },
+ {
+ "baseaddr": "0x7fef0b10000",
+ "basename": "mozglue.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\mozglue.dll",
+ "imgsize": 507904
+ },
+ {
+ "baseaddr": "0x7feff3f0000",
+ "basename": "ADVAPI32.dll",
+ "filepath": "C:\\Windows\\system32\\ADVAPI32.dll",
+ "imgsize": 897024
+ },
+ {
+ "baseaddr": "0x7fefe0f0000",
+ "basename": "msvcrt.dll",
+ "filepath": "C:\\Windows\\system32\\msvcrt.dll",
+ "imgsize": 651264
+ },
+ {
+ "baseaddr": "0x7feff350000",
+ "basename": "sechost.dll",
+ "filepath": "C:\\Windows\\SYSTEM32\\sechost.dll",
+ "imgsize": 126976
+ },
+ {
+ "baseaddr": "0x7feff660000",
+ "basename": "RPCRT4.dll",
+ "filepath": "C:\\Windows\\system32\\RPCRT4.dll",
+ "imgsize": 1232896
+ },
+ {
+ "baseaddr": "0x7fefd660000",
+ "basename": "CRYPT32.dll",
+ "filepath": "C:\\Windows\\system32\\CRYPT32.dll",
+ "imgsize": 1495040
+ },
+ {
+ "baseaddr": "0x7fefd4e0000",
+ "basename": "MSASN1.dll",
+ "filepath": "C:\\Windows\\system32\\MSASN1.dll",
+ "imgsize": 61440
+ },
+ {
+ "baseaddr": "0x7fefc730000",
+ "basename": "VERSION.dll",
+ "filepath": "C:\\Windows\\system32\\VERSION.dll",
+ "imgsize": 49152
+ },
+ {
+ "baseaddr": "0x7fefd850000",
+ "basename": "WINTRUST.dll",
+ "filepath": "C:\\Windows\\system32\\WINTRUST.dll",
+ "imgsize": 241664
+ },
+ {
+ "baseaddr": "0x7fef88b0000",
+ "basename": "dbghelp.dll",
+ "filepath": "C:\\Windows\\system32\\dbghelp.dll",
+ "imgsize": 1200128
+ },
+ {
+ "baseaddr": "0x7fef0a70000",
+ "basename": "MSVCP140.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\MSVCP140.dll",
+ "imgsize": 634880
+ },
+ {
+ "baseaddr": "0x7fef4fd0000",
+ "basename": "VCRUNTIME140.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\VCRUNTIME140.dll",
+ "imgsize": 90112
+ },
+ {
+ "baseaddr": "0x7fef7210000",
+ "basename": "api-ms-win-crt-runtime-l1-1-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-runtime-l1-1-0.dll",
+ "imgsize": 16384
+ },
+ {
+ "baseaddr": "0x7fef0970000",
+ "basename": "ucrtbase.DLL",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\ucrtbase.DLL",
+ "imgsize": 1024000
+ },
+ {
+ "baseaddr": "0x7fefac50000",
+ "basename": "api-ms-win-core-localization-l1-2-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-localization-l1-2-0.dll",
+ "imgsize": 12288
+ },
+ {
+ "baseaddr": "0x7fef6240000",
+ "basename": "api-ms-win-core-processthreads-l1-1-1.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-processthreads-l1-1-1.dll",
+ "imgsize": 12288
+ },
+ {
+ "baseaddr": "0x7fef7140000",
+ "basename": "api-ms-win-core-file-l1-2-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-file-l1-2-0.dll",
+ "imgsize": 12288
+ },
+ {
+ "baseaddr": "0x7fef5400000",
+ "basename": "api-ms-win-core-timezone-l1-1-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-timezone-l1-1-0.dll",
+ "imgsize": 12288
+ },
+ {
+ "baseaddr": "0x7fef53f0000",
+ "basename": "api-ms-win-core-file-l2-1-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-file-l2-1-0.dll",
+ "imgsize": 12288
+ },
+ {
+ "baseaddr": "0x7fef4e70000",
+ "basename": "api-ms-win-core-synch-l1-2-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-core-synch-l1-2-0.dll",
+ "imgsize": 12288
+ },
+ {
+ "baseaddr": "0x7fef4e80000",
+ "basename": "api-ms-win-crt-string-l1-1-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-string-l1-1-0.dll",
+ "imgsize": 16384
+ },
+ {
+ "baseaddr": "0x7fef4e50000",
+ "basename": "api-ms-win-crt-heap-l1-1-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-heap-l1-1-0.dll",
+ "imgsize": 12288
+ },
+ {
+ "baseaddr": "0x7fef4e60000",
+ "basename": "api-ms-win-crt-stdio-l1-1-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-stdio-l1-1-0.dll",
+ "imgsize": 16384
+ },
+ {
+ "baseaddr": "0x7fef4df0000",
+ "basename": "api-ms-win-crt-convert-l1-1-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-convert-l1-1-0.dll",
+ "imgsize": 16384
+ },
+ {
+ "baseaddr": "0x7fef4e00000",
+ "basename": "api-ms-win-crt-locale-l1-1-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-locale-l1-1-0.dll",
+ "imgsize": 12288
+ },
+ {
+ "baseaddr": "0x7fef3ab0000",
+ "basename": "api-ms-win-crt-math-l1-1-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-math-l1-1-0.dll",
+ "imgsize": 20480
+ },
+ {
+ "baseaddr": "0x7fef4de0000",
+ "basename": "api-ms-win-crt-time-l1-1-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-time-l1-1-0.dll",
+ "imgsize": 12288
+ },
+ {
+ "baseaddr": "0x7fef3a90000",
+ "basename": "api-ms-win-crt-filesystem-l1-1-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-filesystem-l1-1-0.dll",
+ "imgsize": 12288
+ },
+ {
+ "baseaddr": "0x7fef3aa0000",
+ "basename": "api-ms-win-crt-environment-l1-1-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-environment-l1-1-0.dll",
+ "imgsize": 12288
+ },
+ {
+ "baseaddr": "0x7fef3a70000",
+ "basename": "api-ms-win-crt-utility-l1-1-0.dll",
+ "filepath": "C:\\Program Files\\Mozilla Firefox\\api-ms-win-crt-utility-l1-1-0.dll",
+ "imgsize": 12288
+ },
+ {
+ "baseaddr": "0x74540000",
+ "basename": "monitor-x64.dll",
+ "filepath": "C:\\tmpcaygsr\\bin\\monitor-x64.dll",
+ "imgsize": 2269184
+ }
+ ],
+ "pid": 1952,
+ "ppid": 2976,
+ "process_name": "firefox.exe",
+ "process_path": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
+ "tid": 2524,
+ "time": 0,
+ "track": true,
+ "type": "process"
+ }
+ ],
+ "processtree": [
+ {
+ "children": [],
+ "command_line": "C:\\Windows\\system32\\lsass.exe",
+ "first_seen": 1606943609.640625,
+ "pid": 500,
+ "ppid": 384,
+ "process_name": "lsass.exe",
+ "track": false
+ },
+ {
+ "children": [
+ {
+ "children": [],
+ "command_line": "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"",
+ "first_seen": 1606943649.755751,
+ "pid": 1952,
+ "ppid": 2976,
+ "process_name": "firefox.exe",
+ "track": true
+ }
+ ],
+ "command_line": "\"C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe\" ",
+ "first_seen": 1606943648.427626,
+ "pid": 2976,
+ "ppid": 3028,
+ "process_name": "Win32.DarkTequila.exe",
+ "track": true
+ }
+ ],
+ "summary": {
+ "command_line": [
+ "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974\"",
+ "http://www.gusanito.com/esp/tarjetas/postales/buenos_deseos/excelente_dia/974"
+ ],
+ "directory_enumerated": [
+ "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "C:\\Windows\\SysWOW64",
+ "C:\\Windows",
+ "C:\\Windows\\SysWOW64\\*.*"
+ ],
+ "dll_loaded": [
+ "urlmon.dll",
+ "api-ms-win-appmodel-runtime-l1-1-2",
+ "apphelp.dll",
+ "gdi32.dll",
+ "msvcrt.dll",
+ "C:\\Program Files\\Internet Explorer\\ieproxy.dll",
+ "Ole32.dll",
+ "ntmarta.dll",
+ "api-ms-win-downlevel-advapi32-l1-1-0.dll",
+ "PROPSYS.dll",
+ "API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
+ "KERNEL32.DLL",
+ "api-ms-win-downlevel-ole32-l1-1-0.dll",
+ "advapi32.dll",
+ "ole32.dll",
+ "CRYPTSP.dll",
+ "C:\\Windows\\system32\\IMM32.DLL",
+ "wpcap.dll",
+ "C:\\Windows\\system32\\actxprxy.dll",
+ "OLEAUT32",
+ "OLEAUT32.dll",
+ "Shell32.dll",
+ "comctl32.dll",
+ "api-ms-win-downlevel-shlwapi-l2-1-0.dll",
+ "ADVAPI32.dll",
+ "SETUPAPI.dll"
+ ],
+ "file_created": ["c:\\Windows\\csrss.dll"],
+ "file_exists": ["C:\\Windows\\SysWOW64\\ieframe.dll"],
+ "file_opened": [
+ "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
+ "C:\\Windows\\System32\\stdole2.tlb",
+ "C:\\Windows\\SysWOW64\\ieframe.dll",
+ "C:\\Users\\mes-vms\\AppData\\Local\\Temp\\Win32.DarkTequila.exe",
+ "C:\\Windows\\SysWOW64\\",
+ "\\??\\c:",
+ "\\??\\PhysicalDrive0",
+ "C:\\Windows\\System32\\shell32.dll",
+ "C:\\Windows\\SysWOW64\\fr-FR\\ieframe.dll.mui",
+ "C:\\Windows\\AppPatch\\sysmain.sdb"
+ ],
+ "file_read": [
+ "C:\\Windows\\System32\\stdole2.tlb",
+ "C:\\Windows\\System32\\shell32.dll",
+ "C:\\Windows\\SysWOW64\\ieframe.dll"
+ ],
+ "file_recreated": ["\\??\\C:"],
+ "file_written": ["c:\\Windows\\csrss.dll"],
+ "guid": [
+ "{00000320-0000-0000-c000-000000000046}",
+ "{0000015b-0000-0000-c000-000000000046}",
+ "{00020420-0000-0000-c000-000000000046}",
+ "{76765b11-3f95-4af2-ac9d-ea55d8994f1a}",
+ "{9ba05972-f6a8-11cf-a442-00a0c90a8f39}",
+ "{85cb6900-4d95-11cf-960c-0080c7f4ee85}",
+ "{00000000-0000-0000-c000-000000000046}",
+ "{d5f569d0-593b-101a-b569-08002b2dbf7a}",
+ "{0000034b-0000-0000-c000-000000000046}",
+ "{871c5380-42a0-1069-a2ea-08002b30309d}",
+ "{000214e6-0000-0000-c000-000000000046}"
+ ],
+ "mutex": ["Global\\F42B8ED47C41A7A135BDA00457587C507BC99875"],
+ "regkey_opened": [
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\WindowsClientServerRunTimeSubsystem",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\Select",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\Tcpip\\Parameters",
+ "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
+ "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters",
+ "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
+ "HKEY_CURRENT_USER\\SOFTWARE\\Mozilla\\Firefox\\Launcher",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WindowsClientServerRunTimeSubsystem",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
+ "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography",
+ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main",
+ "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main",
+ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
+ "HKEY_CLASSES_ROOT\\CLSID\\{D27CDB6E-AE6D-11cf-96B8-444553540000}",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
+ "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
+ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
+ ],
+ "regkey_read": [
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\Progid",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorUseSystemHeap",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\ThreadingModel",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\ThreadingModel",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Data",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\Version",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\Windows\\LoadAppInit_DLLs",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameTabWindow",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\IPv4LoopbackAlternative",
+ "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\InprocServer32",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\TypeLib\\Version",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPEnable",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\ProxyStubClsid32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\Tcpip\\Parameters\\EnableBpc",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\\InProcServer32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2745-e569-11e7-b382-806e6f6e6963}\\Generation",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\LastKnownGood",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\SessionMerging",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E2-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win64\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\AdminTabProcs",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\SessionMerging",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableBpc",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Data",
+ "HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Launcher",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E7A1AF80-4D96-11CF-960C-0080C7F4EE85}\\ProxyStubClsid32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
+ "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameMerging",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameMerging",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\InprocServer32",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CMF\\Config\\SYSTEM",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\shell\\open\\NeverDefault",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum",
+ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
+ "HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Browser",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Generation",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Cryptography\\MachineGuid",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth",
+ "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6D5140C1-7436-11CE-8034-00AA006009FA}\\ProxyStubClsid32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\\1.0\\0\\win64\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3ebd2744-e569-11e7-b382-806e6f6e6963}\\Generation",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000114-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SQMClient\\Windows\\CEIPSampledIn",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{A4C6892C-3BA9-11D2-9DEA-00C04FB16162}\\TypeLib\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes",
+ "HKEY_CURRENT_USER\\FirefoxURL-308046B0AF4A39CB\\NoStaticDefaultVerb",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\OLE\\PageAllocatorSystemHeapIsPrivate",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{000214E3-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes",
+ "HKEY_CURRENT_USER\\Software\\Mozilla\\Firefox\\Launcher\\C:\\Program Files\\Mozilla Firefox\\firefox.exe|Image",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\(Default)",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\GRE_Initialize\\DisableMetaFiles",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Setup\\SourcePath",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{5904ef13-2a24-11ea-b47b-806e6f6e6963}\\Data",
+ "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache"
+ ],
+ "regkey_written": [
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\WOW64",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Type",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Start",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ObjectName",
+ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\Wcsrss",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\DisplayName",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ImagePath",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\Description",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\FailureActions",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\services\\WindowsClientServerRunTimeSubsystem\\ErrorControl",
+ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\WOW64"
+ ]
+ }
+ },
+ "debug": {
+ "action": ["gatherer"],
+ "cuckoo": [
+ "2020-12-02 21:13:58,542 [cuckoo.core.scheduler] INFO: Task #10: acquired machine cuckoo1 (label=win7cuckoo)\n",
+ "2020-12-02 21:13:58,542 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.56.101 for task #10\n",
+ "2020-12-02 21:13:58,542 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Replay\n",
+ "2020-12-02 21:13:58,548 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 11572 (interface=vboxnet0, host=192.168.56.101)\n",
+ "2020-12-02 21:13:58,549 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer\n",
+ "2020-12-02 21:13:58,573 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7cuckoo\n",
+ "2020-12-02 21:13:58,689 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7cuckoo to cuckoo-ready5\n",
+ "2020-12-02 21:14:02,934 [cuckoo.core.guest] INFO: Starting analysis #10 on guest (id=cuckoo1, ip=192.168.56.101)\n",
+ "2020-12-02 21:14:03,937 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n",
+ "2020-12-02 21:14:04,943 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n",
+ "2020-12-02 21:14:05,946 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n",
+ "2020-12-02 21:14:06,003 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet\n",
+ "2020-12-02 21:14:07,032 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=cuckoo1, ip=192.168.56.101)\n",
+ "2020-12-02 21:14:07,062 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.101, monitor=latest, size=3884763)\n",
+ "2020-12-02 21:14:07,326 [cuckoo.core.resultserver] DEBUG: Task #10: live log analysis.log initialized.\n",
+ "2020-12-02 21:14:07,976 [cuckoo.core.resultserver] DEBUG: Task #10 is sending a BSON stream\n",
+ "2020-12-02 21:14:08,178 [cuckoo.core.resultserver] DEBUG: Task #10 is sending a BSON stream\n",
+ "2020-12-02 21:14:09,253 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0001.jpg'\n",
+ "2020-12-02 21:14:09,259 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 127170\n",
+ "2020-12-02 21:14:09,762 [cuckoo.core.resultserver] DEBUG: Task #10 is sending a BSON stream\n",
+ "2020-12-02 21:14:10,337 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0002.jpg'\n",
+ "2020-12-02 21:14:10,344 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 124839\n",
+ "2020-12-02 21:14:11,442 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0003.jpg'\n",
+ "2020-12-02 21:14:11,445 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 126799\n",
+ "2020-12-02 21:14:12,256 [cuckoo.core.guest] DEBUG: cuckoo1: analysis #10 still processing\n",
+ "2020-12-02 21:14:13,604 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0004.jpg'\n",
+ "2020-12-02 21:14:13,615 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 124612\n",
+ "2020-12-02 21:14:14,273 [cuckoo.core.guest] INFO: cuckoo1: analysis completed successfully\n",
+ "2020-12-02 21:14:14,280 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Replay\n",
+ "2020-12-02 21:14:14,319 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer\n",
+ "2020-12-02 21:14:16,525 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7cuckoo to path /home/jean/.cuckoo/storage/analyses/10/memory.dmp\n",
+ "2020-12-02 21:14:16,529 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7cuckoo\n",
+ "2020-12-02 21:14:16,630 [cuckoo.core.resultserver] DEBUG: Task #10: File upload for 'shots/0005.jpg'\n",
+ "2020-12-02 21:14:16,702 [cuckoo.core.resultserver] DEBUG: Task #10 uploaded file length: 126296\n",
+ "2020-12-02 21:14:16,906 [cuckoo.core.resultserver] DEBUG: Task #10 had connection reset for <Context for LOG>\n",
+ "2020-12-02 21:14:20,398 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.56.101 for task #10\n",
+ "2020-12-02 21:14:20,822 [cuckoo.core.scheduler] DEBUG: Released database task #10\n",
+ "2020-12-02 21:14:21,251 [cuckoo.core.plugins] DEBUG: Executed processing module \"AnalysisInfo\" for task #10\n",
+ "2020-12-02 21:14:21,663 [cuckoo.core.plugins] DEBUG: Executed processing module \"BehaviorAnalysis\" for task #10\n",
+ "2020-12-02 21:14:21,665 [cuckoo.core.plugins] DEBUG: Executed processing module \"Dropped\" for task #10\n",
+ "2020-12-02 21:14:21,666 [cuckoo.core.plugins] DEBUG: Executed processing module \"DroppedB"
+ ],
+ "dbgview": [],
+ "errors": [],
+ "log": [
+ "2020-12-02 21:13:29,000 [analyzer] DEBUG: Starting analyzer from: C:\\tmpcaygsr\n",
+ "2020-12-02 21:13:29,015 [analyzer] DEBUG: Pipe server name: \\??\\PIPE\\xjdrXqVKEocylZtiKIZVzSdkMxH\n",
+ "2020-12-02 21:13:29,015 [analyzer] DEBUG: Log pipe server name: \\??\\PIPE\\LpDHTZmFiObyxUcCZLljz\n",
+ "2020-12-02 21:13:29,171 [analyzer] DEBUG: Started auxiliary module DbgView\n",
+ "2020-12-02 21:13:29,530 [analyzer] DEBUG: Started auxiliary module Disguise\n",
+ "2020-12-02 21:13:29,703 [analyzer] DEBUG: Loaded monitor into process with pid 500\n",
+ "2020-12-02 21:13:29,703 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets\n",
+ "2020-12-02 21:13:29,703 [analyzer] DEBUG: Started auxiliary module Human\n",
+ "2020-12-02 21:13:29,703 [analyzer] DEBUG: Started auxiliary module InstallCertificate\n",
+ "2020-12-02 21:13:29,703 [analyzer] DEBUG: Started auxiliary module Reboot\n",
+ "2020-12-02 21:13:29,717 [analyzer] DEBUG: Started auxiliary module RecentFiles\n",
+ "2020-12-02 21:13:29,717 [analyzer] DEBUG: Started auxiliary module Screenshots\n",
+ "2020-12-02 21:13:29,717 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n\n",
+ "2020-12-02 21:13:29,780 [lib.api.process] INFO: Successfully executed process from path u'C:\\\\Users\\\\mes-vms\\\\AppData\\\\Local\\\\Temp\\\\Win32.DarkTequila.exe' with arguments '' and pid 2976\n",
+ "2020-12-02 21:14:08,505 [analyzer] DEBUG: Loaded monitor into process with pid 2976\n",
+ "2020-12-02 21:14:09,677 [analyzer] INFO: Injected into process with pid 1952 and name u'\\uc7d0\\u022c'\n",
+ "2020-12-02 21:14:09,880 [analyzer] DEBUG: Loaded monitor into process with pid 1952\n",
+ "2020-12-02 21:14:10,645 [lib.api.process] WARNING: The process with pid 1952 is not alive, memory dump aborted\n",
+ "2020-12-02 21:14:11,240 [analyzer] INFO: Process with pid 1952 has terminated\n",
+ "2020-12-02 21:14:12,645 [analyzer] INFO: Added new file to list with pid 2976 and path C:\\Windows\\csrss.dll\n",
+ "2020-12-02 21:14:12,661 [lib.api.process] WARNING: The process with pid 2976 is not alive, memory dump aborted\n",
+ "2020-12-02 21:14:13,240 [analyzer] INFO: Process with pid 2976 has terminated\n",
+ "2020-12-02 21:14:13,240 [analyzer] INFO: Process list is empty, terminating analysis.\n",
+ "2020-12-02 21:14:14,240 [analyzer] INFO: Error dumping file from path \"c:\\windows\\csrss.dll\": [Errno 13] Permission denied\n",
+ "2020-12-02 21:14:14,240 [analyzer] INFO: Analysis completed.\n"
+ ]
+ },
+ "info": {
+ "added": 1606943609.47906,
+ "category": "file",
+ "custom": null,
+ "duration": 22,
+ "ended": 1606943660.876434,
+ "git": {
+ "fetch_head": "13cbe0d9e457be3673304533043e992ead1ea9b2",
+ "head": "13cbe0d9e457be3673304533043e992ead1ea9b2"
+ },
+ "id": 10,
+ "machine": {
+ "label": "win7cuckoo",
+ "manager": "VirtualBox",
+ "name": "cuckoo1",
+ "shutdown_on": "2020-12-02 21:14:20",
+ "started_on": "2020-12-02 21:13:58",
+ "status": "stopped"
+ },
+ "monitor": "2deb9ccd75d5a7a3fe05b2625b03a8639d6ee36b",
+ "options": "procmemdump=yes,route=none",
+ "owner": null,
+ "package": "exe",
+ "platform": "windows",
+ "route": "none",
+ "score": 6.4,
+ "started": 1606943638.493838,
+ "version": "2.0.7"
+ },
+ "metadata": {
+ "output": {
+ "pcap": {
+ "basename": "dump.pcap",
+ "dirname": "",
+ "sha256": "704e5e5b3234433c01fcfd1b20a306e77e985038120492dc53965c3edd38a4ea"
+ }
+ }
+ },
+ "network": {
+ "dead_hosts": [],
+ "dns": [],
+ "dns_servers": [],
+ "domains": [],
+ "hosts": [],
+ "http": [],
+ "http_ex": [],
+ "https_ex": [],
+ "icmp": [],
+ "irc": [],
+ "mitm": [],
+ "pcap_sha256": "704e5e5b3234433c01fcfd1b20a306e77e985038120492dc53965c3edd38a4ea",
+ "smtp": [],
+ "smtp_ex": [],
+ "tcp": [],
+ "tls": [],
+ "udp": []
+ },
+ "screenshots": [
+ {
+ "ocr": "",
+ "path": "/home/jean/.cuckoo/storage/analyses/10/shots/0001.jpg"
+ },
+ {
+ "ocr": "",
+ "path": "/home/jean/.cuckoo/storage/analyses/10/shots/0002.jpg"
+ },
+ {
+ "ocr": "",
+ "path": "/home/jean/.cuckoo/storage/analyses/10/shots/0003.jpg"
+ },
+ {
+ "ocr": "",
+ "path": "/home/jean/.cuckoo/storage/analyses/10/shots/0004.jpg"
+ },
+ {
+ "ocr": "",
+ "path": "/home/jean/.cuckoo/storage/analyses/10/shots/0005.jpg"
+ }
+ ],
+ "signatures": [
+ {
+ "description": "Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)",
+ "families": [],
+ "markcount": 1,
+ "marks": [
+ {
+ "category": "registry",
+ "description": null,
+ "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Cryptography\\MachineGuid",
+ "type": "ioc"
+ }
+ ],
+ "name": "recon_fingerprint",
+ "references": [],
+ "severity": 1,
+ "ttp": {}
+ },
+ {
+ "description": "Tries to locate where the browsers are installed",
+ "families": [],
+ "markcount": 1,
+ "marks": [
+ {
+ "category": "file",
+ "description": null,
+ "ioc": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
+ "type": "ioc"
+ }
+ ],
+ "name": "locates_browser",
+ "references": [],
+ "severity": 1,
+ "ttp": {}
+ },
+ {
+ "description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
+ "families": [],
+ "markcount": 1,
+ "marks": [
+ {
+ "call": {
+ "api": "GlobalMemoryStatusEx",
+ "arguments": {},
+ "category": "system",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2576,
+ "time": 1606943649.630626
+ },
+ "cid": 1059,
+ "pid": 2976,
+ "type": "call"
+ }
+ ],
+ "name": "antivm_memory_available",
+ "references": [],
+ "severity": 1,
+ "ttp": {
+ "T1082": {
+ "long": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.",
+ "short": "System Information Discovery"
+ }
+ }
+ },
+ {
+ "description": "The executable uses a known packer",
+ "families": [],
+ "markcount": 1,
+ "marks": [
+ {
+ "category": "packer",
+ "description": null,
+ "ioc": "UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser",
+ "type": "ioc"
+ }
+ ],
+ "name": "peid_packer",
+ "references": [],
+ "severity": 1,
+ "ttp": {
+ "T1045": {
+ "long": "Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.",
+ "short": "Software Packing"
+ }
+ }
+ },
+ {
+ "description": "One or more processes crashed",
+ "families": [],
+ "markcount": 5,
+ "marks": [
+ {
+ "call": {
+ "api": "__exception__",
+ "arguments": {
+ "exception": {
+ "address": "0x3c100d",
+ "exception_code": "0xc0000094",
+ "instruction": "div eax",
+ "instruction_r": "f7 f0 e8 9c 05 00 00 85 c0 74 06 b8 0a 00 00 00",
+ "module": "Win32.DarkTequila.exe",
+ "offset": 4109,
+ "symbol": "win32+0x100d"
+ },
+ "registers": {
+ "eax": 0,
+ "ebp": 2752212,
+ "ebx": 0,
+ "ecx": 3503292416,
+ "edi": 1971160937,
+ "edx": 2130566132,
+ "esi": 7155388,
+ "esp": 2751908
+ },
+ "stacktrace": "win32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"
+ },
+ "category": "__notification__",
+ "flags": {},
+ "raw": ["stacktrace"],
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ "cid": 208,
+ "pid": 2976,
+ "type": "call"
+ },
+ {
+ "call": {
+ "api": "__exception__",
+ "arguments": {
+ "exception": {
+ "address": "0x3c1602",
+ "exception_code": "0xc0000096",
+ "instruction": "in eax, dx",
+ "instruction_r": "ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45",
+ "module": "Win32.DarkTequila.exe",
+ "offset": 5634,
+ "symbol": "win32+0x1602"
+ },
+ "registers": {
+ "eax": 1447909480,
+ "ebp": 2751900,
+ "ebx": 0,
+ "ecx": 10,
+ "edi": 1971160937,
+ "edx": 22104,
+ "esi": 7155388,
+ "esp": 2751844
+ },
+ "stacktrace": "win32+0x1014 @ 0x3c1014\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"
+ },
+ "category": "__notification__",
+ "flags": {},
+ "raw": ["stacktrace"],
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ "cid": 210,
+ "pid": 2976,
+ "type": "call"
+ },
+ {
+ "call": {
+ "api": "__exception__",
+ "arguments": {
+ "exception": {
+ "address": "0x3c1546",
+ "exception_code": "0xc000001d",
+ "instruction_r": "0f 3f 07 0b 85 db 0f 94 45 e7 5b eb 38 8b 45 ec",
+ "module": "Win32.DarkTequila.exe",
+ "offset": 5446,
+ "symbol": "win32+0x1546"
+ },
+ "registers": {
+ "eax": 1,
+ "ebp": 2751900,
+ "ebx": 0,
+ "ecx": 2028644408,
+ "edi": 1971160937,
+ "edx": 0,
+ "esi": 7155388,
+ "esp": 2751844
+ },
+ "stacktrace": "win32+0x1023 @ 0x3c1023\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"
+ },
+ "category": "__notification__",
+ "flags": {},
+ "raw": ["stacktrace"],
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ "cid": 211,
+ "pid": 2976,
+ "type": "call"
+ },
+ {
+ "call": {
+ "api": "__exception__",
+ "arguments": {
+ "exception": {
+ "address": "0x3c12ad",
+ "exception_code": "0x80000004",
+ "instruction": "mov dword ptr [ebp + 0xfffffffc], 0xfffffffe",
+ "instruction_r": "c7 45 fc fe ff ff ff b8 01 00 00 00 8b 4d f0 64",
+ "module": "Win32.DarkTequila.exe",
+ "offset": 4781,
+ "symbol": "win32+0x12ad"
+ },
+ "registers": {
+ "eax": 2751884,
+ "ebp": 2751900,
+ "ebx": 0,
+ "ecx": 2028644408,
+ "edi": 1971160937,
+ "edx": 2130566132,
+ "esi": 7155388,
+ "esp": 2751860
+ },
+ "stacktrace": "win32+0x108c @ 0x3c108c\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"
+ },
+ "category": "__notification__",
+ "flags": {},
+ "raw": ["stacktrace"],
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ "cid": 259,
+ "pid": 2976,
+ "type": "call"
+ },
+ {
+ "call": {
+ "api": "__exception__",
+ "arguments": {
+ "exception": {
+ "address": "0x3c121d",
+ "exception_code": "0x80000003",
+ "instruction": "rol byte ptr [ebx + 0x45c702c0], -4",
+ "instruction_r": "c0 83 c0 02 c7 45 fc fe ff ff ff b8 01 00 00 00",
+ "module": "Win32.DarkTequila.exe",
+ "offset": 4637,
+ "symbol": "win32+0x121d"
+ },
+ "registers": {
+ "eax": 2751884,
+ "ebp": 2751900,
+ "ebx": 0,
+ "ecx": 2026067364,
+ "edi": 1971160937,
+ "edx": 844648,
+ "esi": 7155388,
+ "esp": 2751860
+ },
+ "stacktrace": "win32+0x10b9 @ 0x3c10b9\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"
+ },
+ "category": "__notification__",
+ "flags": {},
+ "raw": ["stacktrace"],
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.552626
+ },
+ "cid": 266,
+ "pid": 2976,
+ "type": "call"
+ }
+ ],
+ "name": "raises_exception",
+ "references": [],
+ "severity": 1,
+ "ttp": {}
+ },
+ {
+ "description": "Allocates read-write-execute memory (usually to unpack itself)",
+ "families": [],
+ "markcount": 4,
+ "marks": [
+ {
+ "call": {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 12288,
+ "base_address": "0x00390000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 64,
+ "region_size": 4096,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT|MEM_RESERVE",
+ "protection": "PAGE_EXECUTE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ "cid": 256,
+ "pid": 2976,
+ "type": "call"
+ },
+ {
+ "call": {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x10001000",
+ "heap_dep_bypass": 1,
+ "length": 40960,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 64,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_EXECUTE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ "cid": 1273,
+ "pid": 2976,
+ "type": "call"
+ },
+ {
+ "call": {
+ "api": "NtProtectVirtualMemory",
+ "arguments": {
+ "base_address": "0x1000b000",
+ "heap_dep_bypass": 1,
+ "length": 704512,
+ "process_handle": "0xffffffff",
+ "process_identifier": 2976,
+ "protection": 64,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": { "protection": "PAGE_EXECUTE_READWRITE" },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.552626
+ },
+ "cid": 1274,
+ "pid": 2976,
+ "type": "call"
+ },
+ {
+ "call": {
+ "api": "NtAllocateVirtualMemory",
+ "arguments": {
+ "allocation_type": 4096,
+ "base_address": "0x0000000000d90000",
+ "heap_dep_bypass": 0,
+ "process_handle": "0xffffffffffffffff",
+ "process_identifier": 1952,
+ "protection": 64,
+ "region_size": 65536,
+ "stack_dep_bypass": 0,
+ "stack_pivoted": 0
+ },
+ "category": "process",
+ "flags": {
+ "allocation_type": "MEM_COMMIT",
+ "protection": "PAGE_EXECUTE_READWRITE"
+ },
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2524,
+ "time": 1606943220.86902
+ },
+ "cid": 201,
+ "pid": 1952,
+ "type": "call"
+ }
+ ],
+ "name": "allocates_rwx",
+ "references": [],
+ "severity": 2,
+ "ttp": {}
+ },
+ {
+ "description": "Creates executable files on the filesystem",
+ "families": [],
+ "markcount": 1,
+ "marks": [
+ {
+ "category": "file",
+ "description": null,
+ "ioc": "c:\\Windows\\csrss.dll",
+ "type": "ioc"
+ }
+ ],
+ "name": "creates_exe",
+ "references": [],
+ "severity": 2,
+ "ttp": {
+ "T1129": {
+ "long": "The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API.",
+ "short": "Execution through Module Load"
+ }
+ }
+ },
+ {
+ "description": "Creates a service",
+ "families": [],
+ "markcount": 1,
+ "marks": [
+ {
+ "call": {
+ "api": "CreateServiceA",
+ "arguments": {
+ "desired_access": 983551,
+ "display_name": "Windows Client Server Runtime Subsystem",
+ "error_control": 0,
+ "filepath": "C:\\Users\\mes-vms\\AppData\\Local\\Temp\\%SystemRoot%\\system32\\svchost.exe -k Wcsrss",
+ "filepath_r": "%SystemRoot%\\system32\\svchost.exe -k Wcsrss",
+ "password": "",
+ "service_handle": "0x006deca0",
+ "service_manager_handle": "0x006dede0",
+ "service_name": "WindowsClientServerRunTimeSubsystem",
+ "service_start_name": "",
+ "service_type": 16,
+ "start_type": 2
+ },
+ "category": "services",
+ "flags": {},
+ "return_value": 7204000,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ "cid": 1378,
+ "pid": 2976,
+ "type": "call"
+ }
+ ],
+ "name": "creates_service",
+ "references": [],
+ "severity": 2,
+ "ttp": {
+ "T1031": {
+ "long": "Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg.",
+ "short": "Modify Existing Service"
+ }
+ }
+ },
+ {
+ "description": "The binary likely contains encrypted or compressed data indicative of a packer",
+ "families": [],
+ "markcount": 2,
+ "marks": [
+ {
+ "description": "A section with a high entropy has been found",
+ "entropy": 7.999643147892846,
+ "section": {
+ "entropy": 7.999643147892846,
+ "name": "UPX1",
+ "size_of_data": "0x000d5800",
+ "virtual_address": "0x0000d000",
+ "virtual_size": "0x000d6000"
+ },
+ "type": "generic"
+ },
+ {
+ "description": "Overall entropy of this PE file is high",
+ "entropy": 0.9976635514018691,
+ "type": "generic"
+ }
+ ],
+ "name": "packer_entropy",
+ "references": [
+ "http://www.forensickb.com/2013/03/file-entropy-explained.html",
+ "http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
+ ],
+ "severity": 2,
+ "ttp": {
+ "T1045": {
+ "long": "Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.",
+ "short": "Software Packing"
+ }
+ }
+ },
+ {
+ "description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege",
+ "families": [],
+ "markcount": 4,
+ "marks": [
+ {
+ "call": {
+ "api": "LookupPrivilegeValueW",
+ "arguments": {
+ "privilege_name": "SeDebugPrivilege",
+ "system_name": ""
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ "cid": 194,
+ "pid": 2976,
+ "type": "call"
+ },
+ {
+ "call": {
+ "api": "LookupPrivilegeValueW",
+ "arguments": {
+ "privilege_name": "SeSecurityPrivilege",
+ "system_name": ""
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ "cid": 1417,
+ "pid": 2976,
+ "type": "call"
+ },
+ {
+ "call": {
+ "api": "LookupPrivilegeValueW",
+ "arguments": {
+ "privilege_name": "SeRestorePrivilege",
+ "system_name": ""
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ "cid": 1419,
+ "pid": 2976,
+ "type": "call"
+ },
+ {
+ "call": {
+ "api": "LookupPrivilegeValueW",
+ "arguments": {
+ "privilege_name": "SeTakeOwnershipPrivilege",
+ "system_name": ""
+ },
+ "category": "system",
+ "flags": {},
+ "return_value": 1,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943652.646626
+ },
+ "cid": 1421,
+ "pid": 2976,
+ "type": "call"
+ }
+ ],
+ "name": "privilege_luid_check",
+ "references": [],
+ "severity": 2,
+ "ttp": {}
+ },
+ {
+ "description": "The executable is compressed using UPX",
+ "families": [],
+ "markcount": 2,
+ "marks": [
+ {
+ "description": "Section name indicates UPX",
+ "section": "UPX0",
+ "type": "generic"
+ },
+ {
+ "description": "Section name indicates UPX",
+ "section": "UPX1",
+ "type": "generic"
+ }
+ ],
+ "name": "packer_upx",
+ "references": [],
+ "severity": 2,
+ "ttp": {
+ "T1045": {
+ "long": "Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.",
+ "short": "Software Packing"
+ }
+ }
+ },
+ {
+ "description": "Checks for the presence of known windows from debuggers and forensic tools",
+ "families": [],
+ "markcount": 4,
+ "marks": [
+ {
+ "call": {
+ "api": "FindWindowA",
+ "arguments": { "class_name": "OLLYDBG", "window_name": "" },
+ "category": "ui",
+ "flags": {},
+ "last_error": 18,
+ "nt_status": -1073741808,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ "cid": 248,
+ "pid": 2976,
+ "type": "call"
+ },
+ {
+ "call": {
+ "api": "FindWindowA",
+ "arguments": {
+ "class_name": "WinDbgFrameClass",
+ "window_name": ""
+ },
+ "category": "ui",
+ "flags": {},
+ "last_error": 18,
+ "nt_status": -1073741808,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ "cid": 249,
+ "pid": 2976,
+ "type": "call"
+ },
+ {
+ "call": {
+ "api": "FindWindowA",
+ "arguments": {
+ "class_name": "PROCMON_WINDOW_CLASS",
+ "window_name": ""
+ },
+ "category": "ui",
+ "flags": {},
+ "last_error": 18,
+ "nt_status": -1073741808,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ "cid": 250,
+ "pid": 2976,
+ "type": "call"
+ },
+ {
+ "call": {
+ "api": "FindWindowA",
+ "arguments": { "class_name": "PROCEXPL", "window_name": "" },
+ "category": "ui",
+ "flags": {},
+ "last_error": 18,
+ "nt_status": -1073741808,
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 0,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ "cid": 251,
+ "pid": 2976,
+ "type": "call"
+ }
+ ],
+ "name": "antidbg_windows",
+ "references": [],
+ "severity": 3,
+ "ttp": {
+ "T1057": {
+ "long": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.",
+ "short": "Process Discovery"
+ }
+ }
+ },
+ {
+ "description": "Installs itself for autorun at Windows startup",
+ "families": [],
+ "markcount": 2,
+ "marks": [
+ {
+ "service_name": "WindowsClientServerRunTimeSubsystem",
+ "service_path": "C:\\Users\\mes-vms\\AppData\\Local\\Temp\\%SystemRoot%\\system32\\svchost.exe -k Wcsrss",
+ "type": "generic"
+ },
+ {
+ "reg_key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WindowsClientServerRunTimeSubsystem\\Parameters\\ServiceDll",
+ "reg_value": "%SystemRoot%\\csrss.dll",
+ "type": "generic"
+ }
+ ],
+ "name": "persistence_autorun",
+ "references": [],
+ "severity": 3,
+ "ttp": {
+ "T1053": {
+ "long": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system.",
+ "short": "Scheduled Task"
+ },
+ "T1060": {
+ "long": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.",
+ "short": "Registry Run Keys / Startup Folder"
+ }
+ }
+ },
+ {
+ "description": "Detects VMWare through the in instruction feature",
+ "families": [],
+ "markcount": 1,
+ "marks": [
+ {
+ "call": {
+ "api": "__exception__",
+ "arguments": {
+ "exception": {
+ "address": "0x3c1602",
+ "exception_code": "0xc0000096",
+ "instruction": "in eax, dx",
+ "instruction_r": "ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45",
+ "module": "Win32.DarkTequila.exe",
+ "offset": 5634,
+ "symbol": "win32+0x1602"
+ },
+ "registers": {
+ "eax": 1447909480,
+ "ebp": 2751900,
+ "ebx": 0,
+ "ecx": 10,
+ "edi": 1971160937,
+ "edx": 22104,
+ "esi": 7155388,
+ "esp": 2751844
+ },
+ "stacktrace": "win32+0x1014 @ 0x3c1014\nwin32+0x8b60 @ 0x3c8b60\nwin32+0xa83f @ 0x3ca83f\nBaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x1336a @ 0x757d336a\nRtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x398f2 @ 0x779f98f2\nRtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x398c5 @ 0x779f98c5"
+ },
+ "category": "__notification__",
+ "flags": {},
+ "raw": ["stacktrace"],
+ "return_value": 0,
+ "stacktrace": [],
+ "status": 1,
+ "tid": 2868,
+ "time": 1606943649.536626
+ },
+ "cid": 210,
+ "pid": 2976,
+ "type": "call"
+ }
+ ],
+ "name": "antivm_vmware_in_instruction",
+ "references": [],
+ "severity": 3,
+ "ttp": {}
+ },
+ {
+ "description": "File has been identified by 62 AntiVirus engines on VirusTotal as malicious",
+ "families": [],
+ "markcount": 62,
+ "marks": [
+ {
+ "category": "Bkav",
+ "description": null,
+ "ioc": "W32.AIDetectVM.malware2",
+ "type": "ioc"
+ },
+ {
+ "category": "Elastic",
+ "description": null,
+ "ioc": "malicious (high confidence)",
+ "type": "ioc"
+ },
+ {
+ "category": "Cynet",
+ "description": null,
+ "ioc": "Malicious (score: 100)",
+ "type": "ioc"
+ },
+ {
+ "category": "FireEye",
+ "description": null,
+ "ioc": "Generic.mg.9fbdc5eca123e815",
+ "type": "ioc"
+ },
+ {
+ "category": "CAT-QuickHeal",
+ "description": null,
+ "ioc": "Trojan.Dynamer.8198",
+ "type": "ioc"
+ },
+ {
+ "category": "McAfee",
+ "description": null,
+ "ioc": "GenericRXAA-FA!9FBDC5ECA123",
+ "type": "ioc"
+ },
+ {
+ "category": "Cylance",
+ "description": null,
+ "ioc": "Unsafe",
+ "type": "ioc"
+ },
+ {
+ "category": "Zillya",
+ "description": null,
+ "ioc": "Trojan.Kryptik.Win32.820724",
+ "type": "ioc"
+ },
+ {
+ "category": "Sangfor",
+ "description": null,
+ "ioc": "Malware",
+ "type": "ioc"
+ },
+ {
+ "category": "K7AntiVirus",
+ "description": null,
+ "ioc": "Trojan ( 0004a2ea1 )",
+ "type": "ioc"
+ },
+ {
+ "category": "Alibaba",
+ "description": null,
+ "ioc": "Worm:Win32/DarkTequila.7550016f",
+ "type": "ioc"
+ },
+ {
+ "category": "K7GW",
+ "description": null,
+ "ioc": "Trojan ( 0004a2ea1 )",
+ "type": "ioc"
+ },
+ {
+ "category": "Cybereason",
+ "description": null,
+ "ioc": "malicious.ca123e",
+ "type": "ioc"
+ },
+ {
+ "category": "Arcabit",
+ "description": null,
+ "ioc": "Trojan.Graftor.D1F955",
+ "type": "ioc"
+ },
+ {
+ "category": "TrendMicro",
+ "description": null,
+ "ioc": "TSPY_DARKTEQUILA.A",
+ "type": "ioc"
+ },
+ {
+ "category": "Cyren",
+ "description": null,
+ "ioc": "W32/S-91f5258d!Eldorado",
+ "type": "ioc"
+ },
+ {
+ "category": "Symantec",
+ "description": null,
+ "ioc": "Backdoor.DarkTeq",
+ "type": "ioc"
+ },
+ {
+ "category": "TotalDefense",
+ "description": null,
+ "ioc": "Win32/Bancos_i",
+ "type": "ioc"
+ },
+ {
+ "category": "APEX",
+ "description": null,
+ "ioc": "Malicious",
+ "type": "ioc"
+ },
+ {
+ "category": "Avast",
+ "description": null,
+ "ioc": "Win32:Malware-gen",
+ "type": "ioc"
+ },
+ {
+ "category": "Kaspersky",
+ "description": null,
+ "ioc": "Trojan.Win32.DarkTequila.d",
+ "type": "ioc"
+ },
+ {
+ "category": "BitDefender",
+ "description": null,
+ "ioc": "Gen:Variant.Graftor.129365",
+ "type": "ioc"
+ },
+ {
+ "category": "NANO-Antivirus",
+ "description": null,
+ "ioc": "Trojan.Win32.Dwn.dyfxok",
+ "type": "ioc"
+ },
+ {
+ "category": "Paloalto",
+ "description": null,
+ "ioc": "generic.ml",
+ "type": "ioc"
+ },
+ {
+ "category": "MicroWorld-eScan",
+ "description": null,
+ "ioc": "Gen:Variant.Graftor.129365",
+ "type": "ioc"
+ },
+ {
+ "category": "Tencent",
+ "description": null,
+ "ioc": "Malware.Win32.Gencirc.10b3f5ed",
+ "type": "ioc"
+ },
+ {
+ "category": "Ad-Aware",
+ "description": null,
+ "ioc": "Gen:Variant.Graftor.129365",
+ "type": "ioc"
+ },
+ {
+ "category": "Emsisoft",
+ "description": null,
+ "ioc": "Gen:Variant.Graftor.129365 (B)",
+ "type": "ioc"
+ },
+ {
+ "category": "Comodo",
+ "description": null,
+ "ioc": "TrojWare.Win32.Crypt.EBT@611gnb",
+ "type": "ioc"
+ },
+ {
+ "category": "F-Secure",
+ "description": null,
+ "ioc": "Trojan.TR/Crypt.XPACK.Gen3",
+ "type": "ioc"
+ },
+ {
+ "category": "DrWeb",
+ "description": null,
+ "ioc": "Trojan.DownLoader17.30288",
+ "type": "ioc"
+ },
+ {
+ "category": "VIPRE",
+ "description": null,
+ "ioc": "Trojan.Win32.Generic.pak!cobra",
+ "type": "ioc"
+ },
+ {
+ "category": "Invincea",
+ "description": null,
+ "ioc": "Mal/Generic-R + W32/Crastic-A",
+ "type": "ioc"
+ },
+ {
+ "category": "McAfee-GW-Edition",
+ "description": null,
+ "ioc": "BehavesLike.Win32.Generic.cc",
+ "type": "ioc"
+ },
+ {
+ "category": "Sophos",
+ "description": null,
+ "ioc": "W32/Crastic-A",
+ "type": "ioc"
+ },
+ {
+ "category": "SentinelOne",
+ "description": null,
+ "ioc": "Static AI - Suspicious PE",
+ "type": "ioc"
+ },
+ {
+ "category": "Jiangmin",
+ "description": null,
+ "ioc": "Variant.Strictor.h",
+ "type": "ioc"
+ },
+ {
+ "category": "Webroot",
+ "description": null,
+ "ioc": "W32.Trojan.Gen",
+ "type": "ioc"
+ },
+ {
+ "category": "Avira",
+ "description": null,
+ "ioc": "TR/Crypt.XPACK.Gen3",
+ "type": "ioc"
+ },
+ {
+ "category": "MAX",
+ "description": null,
+ "ioc": "malware (ai score=100)",
+ "type": "ioc"
+ },
+ {
+ "category": "Antiy-AVL",
+ "description": null,
+ "ioc": "Trojan/Win32.SGeneric",
+ "type": "ioc"
+ },
+ {
+ "category": "Gridinsoft",
+ "description": null,
+ "ioc": "Worm.Win32.Mydoom.ka!i",
+ "type": "ioc"
+ },
+ {
+ "category": "Microsoft",
+ "description": null,
+ "ioc": "Worm:Win32/Crastic!rfn",
+ "type": "ioc"
+ },
+ {
+ "category": "AegisLab",
+ "description": null,
+ "ioc": "Trojan.Win32.DarkTequila.trya",
+ "type": "ioc"
+ },
+ {
+ "category": "ZoneAlarm",
+ "description": null,
+ "ioc": "Trojan.Win32.DarkTequila.d",
+ "type": "ioc"
+ },
+ {
+ "category": "GData",
+ "description": null,
+ "ioc": "Gen:Variant.Graftor.129365",
+ "type": "ioc"
+ },
+ {
+ "category": "AhnLab-V3",
+ "description": null,
+ "ioc": "Trojan/Win32.HDC.C138160",
+ "type": "ioc"
+ },
+ {
+ "category": "Acronis",
+ "description": null,
+ "ioc": "suspicious",
+ "type": "ioc"
+ },
+ {
+ "category": "BitDefenderTheta",
+ "description": null,
+ "ioc": "AI:Packer.519AA5961F",
+ "type": "ioc"
+ },
+ {
+ "category": "ALYac",
+ "description": null,
+ "ioc": "Trojan.Agent.DarkTequila",
+ "type": "ioc"
+ }
+ ],
+ "name": "antivirus_virustotal",
+ "references": [],
+ "severity": 6,
+ "ttp": {}
+ }
+ ],
+ "static": {
+ "imported_dll_count": 2,
+ "keys": [],
+ "pdb_path": null,
+ "pe_exports": [],
+ "pe_imphash": "fc785ac8507eb2f8e2af81f89b4cb6fd",
+ "pe_imports": [
+ {
+ "dll": "KERNEL32.DLL",
+ "imports": [
+ { "address": "0x4e3568", "name": "LoadLibraryA" },
+ { "address": "0x4e356c", "name": "GetProcAddress" },
+ { "address": "0x4e3570", "name": "VirtualProtect" },
+ { "address": "0x4e3574", "name": "VirtualAlloc" },
+ { "address": "0x4e3578", "name": "VirtualFree" },
+ { "address": "0x4e357c", "name": "ExitProcess" }
+ ]
+ },
+ {
+ "dll": "msvcrt.dll",
+ "imports": [{ "address": "0x4e3584", "name": "free" }]
+ }
+ ],
+ "pe_resources": [
+ {
+ "filetype": "GLS_BINARY_LSB_FIRST",
+ "language": "LANG_ENGLISH",
+ "name": "RT_ICON",
+ "offset": "0x000e33dc",
+ "size": "0x00000128",
+ "sublanguage": "SUBLANG_ENGLISH_US"
+ },
+ {
+ "filetype": "GLS_BINARY_LSB_FIRST",
+ "language": "LANG_ENGLISH",
+ "name": "RT_ICON",
+ "offset": "0x000e33dc",
+ "size": "0x00000128",
+ "sublanguage": "SUBLANG_ENGLISH_US"
+ },
+ {
+ "filetype": "data",
+ "language": "LANG_ENGLISH",
+ "name": "RT_GROUP_ICON",
+ "offset": "0x000e3508",
+ "size": "0x00000022",
+ "sublanguage": "SUBLANG_ENGLISH_US"
+ }
+ ],
+ "pe_sections": [
+ {
+ "entropy": 0.0,
+ "name": "UPX0",
+ "size_of_data": "0x00000000",
+ "virtual_address": "0x00001000",
+ "virtual_size": "0x0000c000"
+ },
+ {
+ "entropy": 7.999643147892846,
+ "name": "UPX1",
+ "size_of_data": "0x000d5800",
+ "virtual_address": "0x0000d000",
+ "virtual_size": "0x000d6000"
+ },
+ {
+ "entropy": 2.6819136088621818,
+ "name": ".rsrc",
+ "size_of_data": "0x00000800",
+ "virtual_address": "0x000e3000",
+ "virtual_size": "0x00001000"
+ }
+ ],
+ "pe_timestamp": "1999-12-05 05:15:29",
+ "pe_versioninfo": [],
+ "peid_signatures": [
+ "UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser"
+ ],
+ "signature": []
+ },
+ "strings": [
+ "!This program cannot be run in DOS mode.",
+ "$]q\\<-",
+ ";i8,?}jWI&",
+ "\u001fR=.w}",
+ "F\",Og1g",
+ "Ei;<6<",
+ "d[?Q^\u001f",
+ "@EYzz:L",
+ "8?U):Dp",
+ "rUxS2\\",
+ "mS*<[S&",
+ "^AhYQ+",
+ "DW!I;J/",
+ "V%b,kT",
+ "O8\u001f`l ",
+ "kAW!k}",
+ "_@D<3q/",
+ "\\p5TV:\u001fd",
+ "Gj@@GEX",
+ ":aZq}hW",
+ "[+*X\\5",
+ "$QnAU$",
+ "v<%*$V",
+ "C&9q/r",
+ "\u001fZ{]F;",
+ "U6&eb{",
+ "MvGyZ:oL",
+ "pD1;Dm",
+ " pLmxMp",
+ ">EUH&J",
+ "Y^1egN",
+ ">^<Md=",
+ "*tO6v1,",
+ "\\0mWyx",
+ "Ng}>\\t",
+ "18@j -Z",
+ "p2eRXD\"",
+ ")66'mV",
+ "t#e(u0+",
+ "j;\\zZT",
+ "27Mi#_",
+ "i'$K'f",
+ "KDY+fr",
+ "q[iH4Q",
+ "rC{;IG",
+ "@Al#7<",
+ "iZ>>z@",
+ "C=|e!1a",
+ "0g*TU4",
+ "l{LM]&M/*Xh",
+ "Gpf{nm",
+ "dR'c'[",
+ "=GtKHls",
+ "HJytA]Z",
+ "bQp+c\"",
+ "`Ob\"+T",
+ "mOav1.",
+ "%Tn`S;O",
+ "b9EN'P@",
+ "k^\\w2km",
+ ",^Ef'1",
+ "Q+{RZX:",
+ "#Mq~xLm",
+ "\\fO;GXf-",
+ "6V,;E4",
+ "Vu?HU'",
+ "x4{;n,",
+ "8ZetN6&",
+ "7$8)dI",
+ "UFX\"M+",
+ "6\\%xLQ",
+ "Jq=+Lc_",
+ "95[\\}>",
+ "^_=/6{",
+ "Cf/\\PX",
+ ",c2Mkt.f",
+ "j(q5Z*",
+ "nnc_rp[",
+ " 8b6G=#",
+ "\u001fvAW;qK",
+ "i|e%8Ef",
+ "T:t9@S",
+ "0OG8#*",
+ "AGF ]/",
+ "^Wv+Om#",
+ "kRSNzA|",
+ "rhaIIM",
+ ";E0Ow4",
+ "ckt`8/",
+ "oVTmk&",
+ "'fw>z0",
+ "@vn\"Q;J",
+ "059az.",
+ "0[s19b",
+ "7}J#&'",
+ "!.4>G%",
+ "#reb;(",
+ "9LW\u001fFG",
+ "4k;8qf",
+ "N!Acxz",
+ "v.]Q\u001f7_",
+ "H\"-5lV/",
+ "[]rc\\9",
+ "F)HYQ9V",
+ "j?nn AY",
+ "wt5a.H",
+ "ys]cC:",
+ "Ck\"fshh",
+ "la@\\W`",
+ "5(4Iw#",
+ "=WE&hZ;2",
+ "Nes!kCJ/",
+ "WqgM+>x4",
+ ",fcxi~",
+ "0H0xy=t",
+ "<dTbmx",
+ "MbR`(\"`",
+ "229.]cwG",
+ "^P-d.lj",
+ "J2:w;G,#K&",
+ "9W=($H",
+ "Q\u001fZu]{s",
+ "v'0to{p&",
+ "TRG0oe",
+ "]L(L%[",
+ "%d[2QU",
+ ":(k!_W",
+ "3H9&&^",
+ "VH+(v|n",
+ ">b{\"26G",
+ "Mp1El/Y",
+ "a>*[d8",
+ "-&VJG0O}",
+ "X'u[%n",
+ "~ E.@w",
+ "E(8kFg",
+ "YQ7\u001fKg",
+ "6@J{d[k",
+ "Fi=zY,",
+ "Hh-}7G",
+ "'#Z*i}",
+ "*}hj%/",
+ "ZC+s3L",
+ "{m?K5m,_/",
+ "G ;}HE",
+ "egyF|=",
+ "`Kx<Y/",
+ "&TJU97xfp$4,",
+ "Td=!beO",
+ "7FLec5A",
+ "=g-HEp",
+ "uNDy(|(",
+ "=}L{p5",
+ "buqCYLW]",
+ "Pi*5w=",
+ "ISnD`k]",
+ "ouN$muE(",
+ "]z+,!z5",
+ "r'\u001f]Pa<",
+ "+v;m&n",
+ "Udx\\[U",
+ "8M\"o>t",
+ "h.I\")R",
+ "^!<mE@",
+ "-Q_Har",
+ "zat''d",
+ " 'h>^}",
+ "JBR[0TT@",
+ "g\"a6HI",
+ "@Yb9nkj",
+ "i.^m|+",
+ "jrym+:Ly9",
+ "IEY40xS",
+ "&[e\u001f_}:",
+ "ol VvL",
+ "ae:kv|[]!",
+ "4#x-&4",
+ "_+aYc]N",
+ "q`i@BJ",
+ "Nq4w3u",
+ "N);];'_]X^",
+ "AL@EOOB",
+ "e.Lm\\6",
+ "mw^bYU",
+ "GiWuEj(*Oe",
+ "D%u0 g",
+ "]8J*gw",
+ "Gf1g.q",
+ "Fs/=^&",
+ "aO7v57",
+ "6K&M.*!",
+ "R|7Zmh",
+ "}C<<J3k",
+ ".Qz55Ey",
+ "o3w`K+d",
+ "cy55v*Y+",
+ "T_(J~q",
+ "H%* [g",
+ "$IT.eBt",
+ "69AE'%",
+ "G~0v,_HB0",
+ "L44BM\"",
+ "PL1WpB8",
+ "=uea^D",
+ "N1v$f*",
+ "U6iIE%",
+ "r8F<fk'",
+ "G6g2|Q",
+ "AE:\\Qs",
+ "dU.F?80",
+ "1#An}\\Q",
+ "!+}S-S",
+ "iIL)_Q",
+ "N2S&(h",
+ "w\\Y-W&",
+ "JOM+*s",
+ "_PF_Yj",
+ ")2!l0S4",
+ "HV05C,z",
+ "5fL7(Z",
+ "xy.,S6",
+ "t*Zkcz\"X",
+ "\u001f| rn%",
+ "=%J0p\u001f",
+ "?Vt}>J",
+ ">\u001fpXZ'",
+ ")zj4/#",
+ "Db.}!Z",
+ "#O4IVf",
+ "C7-86.",
+ "3KC|PY",
+ "Lz: N.",
+ "b#w/|.",
+ "NY/NV%V",
+ "esnHb:s",
+ "t[5T}V)e",
+ "=uYHfz",
+ "WGlJOc",
+ "4sf}.w/}",
+ "cI9J9F,-",
+ "uf|z/h",
+ "v(j6lq",
+ "E:<J9p",
+ ";Hzb+]",
+ "Nk},f3;",
+ "s4\u001faxx<",
+ "{ IX( ",
+ "A*AzLS",
+ "<uOAZ)X",
+ "2;t`?\u001f",
+ "$C\"$eQ",
+ "xa0a.s",
+ "^#zIG:",
+ "cd0-XZ",
+ "2P+& L3",
+ "K&t7=|uDvZP",
+ "!cOdkD",
+ "IjYWVZ",
+ " h@+e\u001f",
+ "-HLP)LX",
+ "))U ,R",
+ "yDfcn3aFA",
+ ")[Ld\u001fj",
+ "i=Qm[/",
+ "qbkLm0R)",
+ "3z\u001f)K?",
+ "OB*rH$",
+ "K#BK`;b!",
+ "`s]Q*(",
+ "]O!i<8",
+ "@\\|g7O,",
+ ".To.hTI",
+ "]i.i`-<",
+ "5x\\tgrjj",
+ "f>9\\V9",
+ "TY3gv@X",
+ "P?H]6e2['` ",
+ "\\i%US0",
+ "N[ss$U",
+ "yiVD\u001fG",
+ "%ySCO?r",
+ "2k`mG/",
+ "uu4:xwS",
+ "fJ\\Nf+{",
+ "\u001fo`].9",
+ "yX1#0p",
+ "]g6DIzr3",
+ "B()-,M]$!",
+ "Vs\\Qi#%",
+ "R&bmV\u001f'",
+ "A\\7P%S",
+ "zYK0K^",
+ "J;-Od3",
+ "RZ~CNG",
+ "hjwE2#7l<",
+ "/eu+n ",
+ "! YsP+",
+ "\"64^Sr",
+ "cv\\wQ0",
+ "+)'[f;%",
+ "Lqm^Bd",
+ "ZwIjA^",
+ "YL7V!M{",
+ "ue:}Rk6",
+ "JV~OgL",
+ "vTvok_",
+ "lw9/nf",
+ "4E op3",
+ "]Hilt1",
+ "6B!zB<",
+ ">Rk3/L",
+ "-v8\" s;j",
+ "x@#+^0",
+ "}P.(t%\\",
+ "PL|a.h",
+ "n]k({=",
+ "X#0z@z",
+ "BE~\"8W",
+ ">9jA0i",
+ "mOQ)!*",
+ "a$~K\\]",
+ "\u001f9oC)&9",
+ "8H+5,**",
+ "^,r`8j",
+ "7sX[=JsJ",
+ "k+|T7+7",
+ "JSU9TD-",
+ "s\\%c$E",
+ "l<VpYb",
+ "!iG9d>",
+ "zK*P44yO",
+ "-?:9+)%",
+ "TdKEe+",
+ "ydr<{C&'",
+ "7@E/x_4",
+ "hq!?eu",
+ "!@>L,>",
+ "a2<ni`h9",
+ "@(Ijgr",
+ "}{[=yYTx",
+ "\"[j,!9",
+ ">QD4/,]",
+ "AY7SMF",
+ "ax^EkuR5",
+ "{d!XW:",
+ "2,LhnK",
+ "LcTz{B",
+ "54Jfxy",
+ "'\u001fw\\[t",
+ "W4yWgD",
+ "Y0&+ 6.",
+ "^hIi26N",
+ "v9}X,<S",
+ "h\u001fUdJ<",
+ "[)x}9L",
+ "UU5\\EO",
+ "hmY(%N",
+ "6t3-|K",
+ "#Z{JMw",
+ "WC6/GHr;1",
+ "yF,h&Z",
+ "1`OT\\+@q",
+ "J~w{Bs",
+ "|\"^_uQ",
+ "3v\\/AX",
+ "|3\\Ad=",
+ "lucPPL",
+ ")%5O p",
+ "L+NI>C",
+ "o*tX+B",
+ "ayL.F%",
+ "OfO&wI",
+ ",VkWUuUX#3;*}",
+ "q\"J6`|",
+ ">!;vyB",
+ "~.O\"6/",
+ "=E[u<j",
+ "PQU'rh",
+ "\u001f$9fKy",
+ "O\\*>#1i",
+ "vr!B\\O8?",
+ "8GHv{S",
+ "d\u001fD'^'$",
+ "yj\\DD_",
+ "o@Ckgx",
+ "_`psm`",
+ ">E8)3k",
+ "a|:gwsX",
+ "#Pp8}R",
+ "Su0t:-$~",
+ "t{}S$HeM",
+ "VFbi_;y",
+ "`'7_\\v{s",
+ "~Xq!0>0",
+ "n,$FqxbAS",
+ "B~9Q-\\a",
+ "Qj=;@g",
+ "uL5Tw \u001f",
+ ";M:/+6^",
+ "E|g2Na",
+ "kS,pDC",
+ "p@O!'<_",
+ "jN^CK|Qq",
+ "ot'J<~{",
+ "j#73*/Q",
+ "P<j1hU",
+ "o.44uw",
+ "6LXg\"803",
+ "NZVvOg",
+ "\\k`z 5",
+ "}=BWkd}",
+ "rn5D[*",
+ "xg5)HOt",
+ "-3l8uM",
+ "~'8</W",
+ "4eu\\eK",
+ "C!wz;*",
+ "KWqvu?N",
+ "D Lcb3V",
+ "S-\\r28",
+ "`n<&A~",
+ "(4f<mM",
+ "e%>hos",
+ "`M-crYyj",
+ "72QG-W",
+ "}'efeIJ",
+ "6\\0G|V",
+ "4%}B^Y",
+ "y>NA!Lg",
+ ":s'Kq,Jk",
+ "dn9p43",
+ "p-{PGl",
+ "(?s,]_",
+ "\"h&VC;N",
+ "7;qqEy",
+ "=b[4!~",
+ ">-Q\u001fTW",
+ "V$@m2We^",
+ "'X8/N6K",
+ "v892Vd~|",
+ "3;^pRW",
+ "2;SsRdV",
+ "Dl8<'z",
+ ";j]zz1",
+ " Z&'}*",
+ "~KMRc%",
+ "PJ0DOp",
+ ";)[J Q",
+ "WS7EE=",
+ "{~={f}",
+ "[8]MbHrW",
+ "d.5{`Y",
+ "p~~ItuV",
+ "9V+(vp",
+ "s*>EkY",
+ ";-.>(&",
+ "xWk&Co",
+ "\\#[gV4:",
+ "=]0ZCi*h",
+ "4Y;1|#",
+ "^U;gW|",
+ "n}DV.D",
+ ",#+%$1",
+ "%IC9-b",
+ "ncdvAJ",
+ "oT8wy}",
+ "R8.n/U",
+ "O)XvSL",
+ "Zov[;1",
+ "hw([cI",
+ "'&>nT'+",
+ "<LXoS'",
+ "z>{gY`",
+ "0e;F|*{",
+ "XW=6#S",
+ "g*X<*0",
+ "/kDN?~",
+ "4\u001f5Ti-}",
+ "&(AOSY*u/",
+ "v}ynf:w",
+ "l0P#-z",
+ ".]O>tH",
+ "7e7!AZF",
+ "o/`}/W\"?j\u001f",
+ "J.+Q7*U1",
+ "I|ZK*P'",
+ "Zph1Ej:I",
+ "(yoi)LP",
+ "XYl6Ew",
+ "{fa^Q0",
+ "T]x(f9i",
+ "[,'YQH2",
+ "lKxcaI",
+ "T>RZ\\8fW",
+ ",iMJM*",
+ "NE?:hY",
+ "qXb=)<)?",
+ "oI;Y(>",
+ "!@cb1W",
+ "3F, >4)",
+ "L^;JG*6",
+ "ik,\\+0",
+ " ?/-l@",
+ "HEV;$`-",
+ ",t^9vLdt",
+ "]O01Zg",
+ "n9`3>j",
+ "F4SPN,",
+ "@y\u001fo&C",
+ "<1:N.*",
+ "\u001f4S:HM",
+ "\u001f_*eE#",
+ "e,mzv4WQd",
+ "S-j*|0",
+ "P?h{e\\^",
+ "^{gdb3",
+ ";BRZ\\:2-\u001f",
+ "^*]r;<",
+ "<w2tx[ZK",
+ "B/4&=>V",
+ "C@5QR*",
+ "{O&O>0",
+ "Aa5c}^",
+ "!.iY6fWU",
+ "+PF3V,",
+ "Ad\"S6c",
+ "txu6<h#",
+ ";oDaPZA",
+ ";KYCUj",
+ "6*!he0z",
+ "`uO\">n(4",
+ "!K&asy",
+ "HuL)=,",
+ "j9r%.F?",
+ "\\;'MG$",
+ ",Zb^&8",
+ "Qsg<oQMC",
+ "TP*4OTe",
+ "mJGvmx1/",
+ "VO|l(G",
+ "Y!V(gD",
+ "K`i$F,h",
+ "DrnG!-",
+ "~W,UZG",
+ "|sOZpJ",
+ "UF*mom",
+ "Mc`@#\"",
+ "?{+=(b",
+ "y8Qh/o",
+ "$OdNkB",
+ "5N:]#v",
+ "))F#1P",
+ "r[jR^Qv",
+ "c*(<Py6",
+ "S<p\"t/",
+ "8X27\u001fA",
+ "IUlMlV@",
+ ",+iP=C",
+ "4>;G[#",
+ "06h<sg",
+ "9|=4CR'B0",
+ "A3<'5|",
+ "-!}:WEK",
+ "z8YhM>",
+ "lLOHAK;7",
+ "=_H@c+",
+ "/hs:l`'",
+ ">dKA`!",
+ "TfxY#qT",
+ "Xx_\"Z!",
+ "Wqs\\3 ",
+ "h#[),M",
+ "}K\\RG0",
+ "^__%Av",
+ ")M~lw|k",
+ "I4J73b",
+ "4P*7>.'",
+ "y)h{Hk",
+ "\u001fL6 t\\",
+ "2.hN+U8&p",
+ "r^u|9?",
+ "K0MP.V",
+ "!h_#q}ez",
+ "A8fp; ",
+ "HnDb`a0",
+ "j]jBp:",
+ "4``[;0",
+ "'Gqd\\f",
+ "dE(7k]",
+ "s7I~'Ip",
+ "=}h\"IhI",
+ "DI0*?U",
+ "}a/ 9\u001f",
+ "[:zc_E(",
+ "-{x?N~",
+ " '{9;v-e",
+ "~g7lGz0",
+ "z6*[w<",
+ "%>E9|]gi",
+ "t_H}XT",
+ "W-K[oM",
+ "xq(jR|3D)",
+ "i0Byf=",
+ "4Su-t'",
+ ".h?5UF",
+ "n,[b6i",
+ "\u001f8}/J/",
+ "$6JVh6",
+ "\\mgr-u",
+ "M]9\\HB?",
+ "e*V{\"$",
+ "F`517f\u001f!)",
+ "7Sm(DF",
+ "vNaZCV",
+ "vjy<{$",
+ "o,4>\u001f]",
+ "Pw2~<6A",
+ "%7mxX57",
+ "4]*0D,\u001f",
+ "\"LR19}",
+ ".`<)&N.",
+ "$Qp.Lj",
+ "E|fk&,;",
+ "T !Vom",
+ "'G/`|M;",
+ "PEId_t<!",
+ "7U.g|wk",
+ "M@`K~d",
+ "fCwv0k",
+ "w+A}=[",
+ "Cg.znr",
+ "MnoEGB",
+ "[F.2wp",
+ "7Ws T:",
+ "?yN|(!",
+ "YJ3Jrrli-|",
+ "b4#Y/|",
+ "-cIrC#;",
+ "5mEF-Y_",
+ "~BPaMNAq=",
+ "}TG\u001fNE",
+ "-L>wN%g~",
+ "7zS1o~YU$W",
+ "iM,~*Q[/=",
+ " T qiXb#",
+ "Oj!\u001fD)",
+ "(!UFs{",
+ "4d]z.w",
+ "4`@YB'",
+ "zG>2i)",
+ "J{341@",
+ "Y'{WIQ2",
+ "wlVJ>j",
+ "9X>q1|",
+ "q[LYsw",
+ "aYFw6B}",
+ "u',r\"@Nh}q",
+ "}jc;]T",
+ "2^JIcp",
+ "nK+ Jw",
+ "|(d%0%",
+ "+/km/y",
+ ",62t9x",
+ "P;zR j",
+ "~XMsY\u001f",
+ "RO\\\"3`",
+ "QX;^6*nt",
+ "\"vd-2!",
+ ";N6D\"5",
+ "C)<'9W",
+ "g;\"VW ",
+ ";nX4JEb",
+ "t=D*1 ",
+ "EDXcWtL",
+ "$n!uep",
+ "tVvzC\"",
+ "WH[wL4",
+ "d:QOU>x@",
+ "o#/w#Z-",
+ "/uulk\"NI",
+ "=nX/h{p^r",
+ "+=QZOD",
+ "%R4vJ-r",
+ "{);z5V\"",
+ "?YIb<7",
+ "<rM6sFv",
+ "^BbepS",
+ "@;CJzW",
+ "x?)OSC\"WY",
+ "YW}~7%",
+ ", WnrEcj",
+ "l^XZYAUj",
+ "\\/'.4p3",
+ "Z-'}~a",
+ "~pHe;T",
+ "SfZM:c<",
+ "&\"|1&v",
+ "=ib\u001fzA;Y",
+ ">3,/lTj2",
+ "m`aShE",
+ "ISH#MU",
+ "wD ozv3pL",
+ "[?'jMi~",
+ "\\,Lr.LW",
+ "C)k;/\"",
+ "r_II34",
+ "Zs %Gi",
+ "{qmeRz",
+ "{V8F\"5",
+ "Js[w~q'X",
+ "=oUD%K",
+ "w7kUHL9",
+ "+RfrJ@$7",
+ "cKU/L[",
+ "?-K!9\"k",
+ "1!9F8{",
+ "sYHE4X1",
+ "heS>h;",
+ "}`O=,!z",
+ "4!@[|~V7=:",
+ "@ob \\*",
+ "%u&k+N",
+ ":b<Cjzb",
+ "w<X&mu",
+ "<$4v).",
+ "@^hwY!0",
+ "kOw!6NR",
+ ",)<uPq",
+ "1Ewts}",
+ "A5#V0C",
+ "e_dv/sG)1\"",
+ ".%I}=)",
+ "q6Py\"~)",
+ "I5Z^#7",
+ "433X5YrZ",
+ "c_yg8#as",
+ "vx6`B$",
+ "}8E\\_M",
+ "da4.+e",
+ "D3']q-|",
+ "_<XwLh0",
+ "|DYshu",
+ "**75RfX",
+ "3LnBL_",
+ "\u001fDav]r",
+ "W(o*SE",
+ "[i|k>=7",
+ "5|avPc",
+ "X\\A}r %%",
+ "|d.tZ9",
+ ",+Qj=1w",
+ "9%o\u001fzD",
+ "=kf-+G",
+ ",dy#P&",
+ "|k(6XdB",
+ "IP9Ivx",
+ "_XCy.e",
+ "8Pw?md",
+ "#D5bK]\u001f>",
+ "h\"^^#u",
+ "/!Nn+m",
+ "z!\\R>E",
+ "'ux\\=[#",
+ "UT-$5-",
+ "l~{U<k",
+ "QaJp:_",
+ "x2t4Cm^",
+ "&:Ye=\\",
+ "mSH5X+ZJ",
+ "=UDj\" ",
+ "3_2QB,T",
+ "c}b;]tb",
+ "v_93?g",
+ "5<r(iA",
+ "uxH*S;",
+ ";KcA$]s",
+ "B\\{#g^>j",
+ "di6'?!0",
+ "x40oU4%",
+ "TeKmB,",
+ "`aq\\kv",
+ "y\";QM3",
+ "|d-;+'c",
+ "<G\u001f\u001fXX",
+ ">O&3yL4",
+ "d-:aASPR\"",
+ "F<{y;(",
+ "|hQ@$?",
+ "vzn_3=",
+ "v7yN!&",
+ "9EmRH^xp! O",
+ "s-G_'k@OW",
+ "gdc#iP|",
+ "*KLzi/",
+ "I]O.|Dxn2",
+ "En*6_D",
+ "~x%A57w",
+ " kL=$a\\",
+ "?D8J<f",
+ "`W_)40",
+ "E8n+PhH",
+ "f!<|W%",
+ "cWwnz ",
+ "5$:6T}",
+ "TJzTvH",
+ "{=&lC1",
+ "D99Mc^",
+ "JQ =cJc",
+ "3=|8c1w",
+ "2Y+5?H",
+ "Y^smOS",
+ "F6m-b=",
+ "6rtadW",
+ "S\\{kvQ",
+ "fDk0Mz",
+ "a_![9y",
+ "tZ<%)O",
+ "K%z'-U",
+ "jW`n-\u001f",
+ "FE:H!_",
+ "o8wb34'b",
+ "p6] CX",
+ "'mxf. Z",
+ "J9`Y;\"",
+ "^3a=2.",
+ "5yLUS)\\",
+ "Me8lRx",
+ ".iT\"yj",
+ "F}=96n",
+ "B|2iPu",
+ "V 2?I6",
+ "K4_Trv",
+ ">t<9$P",
+ "7!|#1w2",
+ "i5=<qn",
+ "B9,w=?",
+ "d8WC+H",
+ "E#=.)C",
+ "L^aEk.T;",
+ ",E/jS3",
+ "6nZucm\"",
+ "l4jmrj",
+ "+BT?'4",
+ "T5m *q1",
+ "4$(%<]4?L",
+ ",Sac]H",
+ "F|iR6}Znq",
+ "d\"6 zB",
+ "\u001f^8d$Lc^2>",
+ "A U|(]n",
+ "`h>\"Oe\"",
+ "}oBbj+",
+ "&)&4&s",
+ "DX+3^:n",
+ "xg&lTV",
+ "}]r7s8?",
+ "D{ Ifbv",
+ "y`FBQ9",
+ "pLr-vJL!}T",
+ "/&8/`[",
+ "`pU6[Y~[yX7",
+ "PK+l-\"",
+ "\u001fjm\u001frTA",
+ "lL>Tu/h",
+ "x.~Y~g",
+ "IZ{>iG",
+ "\"_9zx_",
+ "-R?\\BYL",
+ "oK{rJL",
+ "kF(ntd",
+ "vjb(.z_",
+ "df2ap3",
+ "y>GeBD",
+ "^zALa4",
+ "\u001f|1$&9W",
+ "89++vd",
+ "'x{~?h9",
+ "pbys6Y7",
+ "B2'^on`",
+ "]eM2go",
+ "+Oj@n;",
+ "/WYg0m",
+ "EqKiNm7",
+ "?>y1E+",
+ "|\".<9^",
+ "~wQ$aAP",
+ "+r\"RDo",
+ "|Ikox@",
+ "=\"Zgg>",
+ "}#/>lD",
+ "_D4Szs",
+ "8//HYx",
+ "^zt.<u",
+ ";{qa*oM",
+ "0Wa[=B",
+ "=F8=ymt\\ 7",
+ "/:\"u`E",
+ "ig\u001fGL$w",
+ "%l}\\5GF\u001f",
+ "3QZA!G",
+ "d<NvEQ",
+ "m%TDBp",
+ "P+>:,s",
+ "cn5oGz",
+ "m/JMYYw ",
+ ";(|-`S9",
+ "WDgP3\\",
+ "S- groW",
+ "S^42YM",
+ "D>]5=b{",
+ "s+h-WF!",
+ "?Fl& ~}",
+ "jb~rP ",
+ "PY`J%C",
+ "Y,~,mNQ",
+ "@iQ[x>(Z",
+ "#\"<KH@",
+ "!qh<& ",
+ "9)ERV{R",
+ "dO@\"&+",
+ "GNYng!",
+ "g5_Xh3H",
+ "T\"v80C ",
+ "t@lk@4Z",
+ "u\u001f\"0!+",
+ "&\\$4WT\"",
+ "[hlcFr",
+ "2ji?\"'",
+ "8?;<bo ",
+ "3?tG'#",
+ "qKVdd<",
+ "QK,M0oQ)",
+ "uJ:d<3",
+ "0*li4=",
+ ">d\\Xk!",
+ "VhYwMG",
+ "\\n|%T\"",
+ "\u001fPkT:=}",
+ "~rDXfI",
+ ":3-~O/{",
+ "'}!TK0",
+ ";rb\"8N",
+ "@V$3XAA{",
+ " @}++\"",
+ "'q\"3Ip",
+ "9G=~HO",
+ "^6?!:8",
+ "h#@Ke<",
+ ">?Y~ZXig",
+ "T6sc'>",
+ "uH3TJ,",
+ "#iO\"T-&",
+ "=ln0 v`",
+ "7yBQclg}",
+ ",ys!47",
+ ":)5&N\\",
+ "6)#G1=",
+ "1);C 0",
+ "iKt0G=\\",
+ "/rZ..t(}",
+ "i1bj!v",
+ "!CGcWn",
+ "3Y SwH5",
+ ")%i3G\\R",
+ "3=H%-d",
+ "{(G(20xx{",
+ "l&o\u001f*~;",
+ ",Z)%kLi",
+ "]n%pqD",
+ ">A-j^F",
+ "N|u#LjWZ",
+ "fSSyjF",
+ "vO3qh(S",
+ "~3_`k[=6",
+ "uV_Xff",
+ "c@o&FE",
+ "IZW(Jq",
+ "n :e_Z",
+ "}o)~iD",
+ "8K>8b.!",
+ "96&\\NN",
+ "!\\sMV)",
+ "7hM=up",
+ "1ch/<*",
+ "&SOGD7<]",
+ "(#O_=OBCaex=",
+ "jZA'-9",
+ "@X:r?6",
+ " z>$0S",
+ "d*+'c)",
+ "^sF_V7VFg",
+ "U.Rj(o",
+ "ff:IZ&E|=o:%",
+ "@6=cp$",
+ "DAu7~\"7",
+ ">>KYv9S",
+ "&/^,`|{",
+ ")oaq#=",
+ "C[U\"9_P",
+ "vQO75H<",
+ "&8gYDP",
+ "rzX7]Oo",
+ "X'?,Yp",
+ "?i{G\\^",
+ "zz$iK[",
+ "k|~)\u001fdxh",
+ "JO39k\\",
+ "9\"(*Y:",
+ "5Hlb7E",
+ "aZ()tR~",
+ "l)sfo\"",
+ "\"}K-TF",
+ "F|~nuI",
+ "PT'|+>",
+ "!^n#d^",
+ "E}>S>0n",
+ "A=#b,6",
+ "[f(K3X<",
+ "AGq_WX",
+ "l~F%Z#W",
+ "}2VzlX",
+ "<%w7k/",
+ "1h|4APO",
+ "'bSb;7",
+ "N*@tHXq(",
+ "kn@SkX",
+ "5Auk{:",
+ "U\\{{R<6",
+ "w8(@p0",
+ "CiO>tD",
+ "{_|2X;",
+ "n1}0gV",
+ "]2'n{JV`",
+ "ot)uz)",
+ "$MDu6&",
+ "A\"9y `:",
+ "vR-,:ZN",
+ "(/.(z12",
+ "Z}h!-TI",
+ ";[BG|c\u001f3l",
+ "1@1iU_",
+ "T\"aXLl~",
+ "]5GsgOm",
+ "$m@kQ*E",
+ "b`IawA",
+ "\\!K&-Q[6",
+ ";QMY;P",
+ "5T%uZhUVd",
+ "(7m@4Ux",
+ "BX^7Hs",
+ "<<Dd`wl\\",
+ "DN>\u001fS;",
+ "$e vn\"s",
+ "&M~&(c",
+ "%xSg!&",
+ "96$)r0",
+ "z nDuT",
+ "I;vD^c",
+ "8?-}|h}",
+ "X`\u001fDdH5k",
+ "I)@u:b",
+ "uo!INN",
+ "c)uV=ZuSqZ",
+ "E<vuk'",
+ "c<9tv1P",
+ "n5>)_&",
+ "Xc|}Ja",
+ "g Bs},",
+ "kY\\P3jUK",
+ "(P2AAP@",
+ "Zp*ut;!X",
+ "@GX|)E",
+ "/wWqjt",
+ "1 8!{B\u001f?$",
+ "n(Pvb[[",
+ "R3t5u8",
+ "T7[]& =",
+ "j&&jf>",
+ "5+Nx|`",
+ "stPW,0",
+ "w^]`\\',",
+ "OKqJ y",
+ "+CL(u+",
+ "/VksQ>",
+ "LW|H560",
+ "W,a2iQM",
+ "(-XwA`",
+ "$cD]StJf",
+ "(LL~QE$",
+ "S:j.9~b",
+ "z&kKJ{?!",
+ "zO^PhT",
+ "2#y+>j?",
+ "V}F{O+",
+ "IcU0U-",
+ "0=k\",Q",
+ "\\76%S,U|",
+ "k{qyE|",
+ "QwqZo`",
+ "m\u001f7r_M",
+ "I2rP]b",
+ "(.|}<s",
+ "mb@3eT",
+ ".3Ek[v",
+ "`X~zA&",
+ "L3Q%2IkH",
+ "F1E\"F3-",
+ "-VHe!_\u001fr",
+ "ty3T{j",
+ "gC&D4A",
+ "1#}4k[",
+ "Fe>66N",
+ "}\\iD=D",
+ "j0SM3q&",
+ "y[v{Hg",
+ "*}`R@$",
+ "R`$u1y2 ",
+ "`:nn#p0",
+ "mL?8o'{",
+ "+A\u001fyAC0",
+ "-9Ex5\u001f",
+ "{2M.=eP",
+ ")hJy;BQz!",
+ "9^\u001f0K ",
+ "0OG&\"y",
+ "_J}PfuJ",
+ "BgCF.tR",
+ " ,0iSQ",
+ "TeYn~w`y",
+ ")?I$(%",
+ "+?XrF3",
+ "u|G:F.",
+ "JQAS%M",
+ "2QU }(",
+ "yx6c]n2",
+ "B1|7E*f-A",
+ "{9k_mH",
+ "m{$3mo7",
+ "64#Yhq",
+ ";Z;h-w,BZ",
+ "@NY!c2D+?",
+ "=7C+o`",
+ "P'WMifq",
+ "&r>MCP",
+ "U9ziw>",
+ ".=~igz%",
+ "2MSbK[",
+ "6UdOh|LzRF",
+ "((@v]5",
+ ",oA1]CG",
+ "\u001f+W\u001f*Y",
+ "8`w+*S;",
+ "I&lc\">",
+ "EHb~t]>",
+ ",lJ{F<",
+ "_/jV@q",
+ "9T^S59t^",
+ "jZtY@Lu",
+ "2]%_r,",
+ "yv<\u001fllC",
+ "_gRcp`",
+ "Ifop)A8",
+ "HNqBS ",
+ "8=C1PUf",
+ "V]$~RR",
+ "U`U>} ",
+ "8/xg@%",
+ "ZY\u001fSi\u001f",
+ "kuzW7#;",
+ "KmXdnt",
+ "1\"n9Pt",
+ "y9?/,]",
+ "DH\u001fj4XwL",
+ "'F^}/CM",
+ "QO/~O6_",
+ "$4ot]0=",
+ "$*sV\\>",
+ "iI/yMq",
+ ":}J=1^",
+ "gzl)&^",
+ "`0Cbn!",
+ "c|w=6d",
+ "=u[_>X",
+ "[xs2.o7d",
+ "Y~B\u001fo]$",
+ "Hz74Jl",
+ ":qcj R",
+ "Xf<]7i",
+ "9,Em$<",
+ "Q:@8hp",
+ "w FtBGu",
+ "22\\k1V",
+ "Gp=Cc-",
+ "YI%bSz*",
+ "+Et1|M",
+ "5=g,Z`s4w.",
+ "/QJgf# #",
+ "j]k?6)",
+ "JDm@&%",
+ "Ytl\u001f:L",
+ "f'TI6^",
+ "0Y,w,v\\",
+ "m mV2d",
+ ":$4#O'",
+ "6}Xcy{",
+ "/VbEb{`",
+ "3&-\\s)D",
+ "sR.r[_2",
+ "PV[O}b",
+ ")NvC3?V",
+ "I65I.0",
+ "6xPx|e",
+ "3HP77-2Z",
+ ". M%rY",
+ "-nA]#R",
+ "S#r`<.#",
+ "an]RDw",
+ "B\\S8z4l",
+ "t\":R7c",
+ "+l1WIG",
+ "4Trch[",
+ "/ED:21:",
+ "/(Zhj\\d",
+ "xdNioq",
+ "%eY-6,vN{",
+ "~9\\UOA",
+ "@24N4U",
+ "I_$2 G",
+ "7gEZ\u001fT",
+ "2q'?DN",
+ "Sl<U?/J",
+ "F(zI|#8r",
+ "f&v>x`3m",
+ "xg8;\\w",
+ "Eg1\u001f]U([",
+ "[C?aAEN",
+ ">G@p?<",
+ "zJ/6*8G",
+ "Cji?~6x",
+ "/NN\\Jz",
+ "erI\u001fs{g",
+ "Wk=/X~",
+ "Ig%8h&N",
+ "6W ,i@\\",
+ "\u001fdoY6b",
+ "?I'(8c",
+ ";fS$.qR",
+ "1QQD&*.S;",
+ "{Fwp6P",
+ "\u001f.Q.x-'",
+ "XnmLe0",
+ "#L)m8V",
+ "b_>nM\\",
+ "aT\u001f`Is",
+ "B\u001fC\u001fJ;",
+ "Q!1Me[",
+ ";CE[YUr",
+ "&II$\u001f>H",
+ "QN1O\u001fd",
+ "$fBRM^A",
+ "0j=o\u001f\u001f8W",
+ "H#fUVl<2j",
+ "E7* 4V",
+ "G$pje-",
+ "]B7.,{",
+ "lI2qR\"",
+ "l~D\"-M",
+ "\\ (VUj",
+ "FlSZVyM",
+ "/9rm\u001fkw",
+ "d\"f?\u001f[",
+ "=j#Aqw",
+ "'*!&v:",
+ ")f'dv'(",
+ "h2vxntA",
+ "2fO\\#?",
+ "@JGg#G",
+ "GqIjx.",
+ "=7}%6j",
+ "dXt.s1b",
+ "T42JGlzU",
+ "NlX$Uat",
+ "8h'UtV",
+ "uQzx/2",
+ "dS],J'",
+ "6n(fF$",
+ "'(BzG_",
+ "nzMB+z0",
+ "RSj4]O",
+ "vat}hg",
+ "mc_[a5",
+ "N3k6Dkn",
+ "MDU\\7p)g",
+ "MrKeN\u001f",
+ "a&;s8@",
+ "Dsk+}}",
+ "`**-b0",
+ "OGcPC4",
+ "72gm@5",
+ "6omRC?c6",
+ "0107sh ",
+ "_C~k*K",
+ "vz}/]RNb",
+ "tu\\pP\\Kz",
+ ",;muvQ",
+ "HIFw<MK",
+ "3?c:/E_m",
+ "_~:x=\u001f>^",
+ "j5Aq2Q",
+ "iEC\"zT",
+ "Vc828T",
+ "~w[\u001fk#",
+ "rV=he7",
+ "'JX;\u001f0",
+ "RQ=t'>+Y",
+ "m\"dUBu[}{",
+ "Dd6~,*0",
+ "~Oz-v;",
+ ":8bC0^",
+ ":FH5\"g",
+ "cG\u001f4LA",
+ "\\OljvR",
+ "&)YC]W)",
+ "qHFhKCEH",
+ "e,|'_]",
+ "S^o<&Z}",
+ "RrIi$>XOb",
+ "_c$ ,@>I",
+ "\u001f7<7=5",
+ ":|GM\\i80",
+ "li!sDK",
+ "){yL0@'I1",
+ "|}NMpc",
+ "x~RO*G",
+ "CZR2sZZ",
+ "sf8-4w",
+ "!(WJRM#",
+ "dt^tM]X",
+ "5bJ2A\\",
+ "-n$&dka",
+ "b:*5E1",
+ "<Y#`?<",
+ "wL16~H",
+ "Fn6\"tk",
+ "ogLF'P",
+ "RVL`Vy",
+ "VmG<)tV",
+ "h+I2V7<1",
+ ",KWAOf",
+ "\"*|t0~",
+ "}8R|Ro#T",
+ "WG8*6^LxF",
+ "j-PIHr",
+ "+C}oCDSG",
+ "#\\|4%_",
+ "e ^og{",
+ "|6t'ZFX",
+ "\u001fr4cSE",
+ "C6Qo<q",
+ "Xz!du>",
+ "P(<F\"g.Q&",
+ "I2Y&v[",
+ ".+gx<%(N",
+ "b8?}.`V",
+ "l.V bh",
+ "H/} TJ",
+ "\u001f5:n)3T",
+ "UZ72+m",
+ "AFpU54",
+ "Q+:!%,",
+ "z/h\\;l|",
+ "},;fS<X\"",
+ "fW1EP_^",
+ "WnsOdy",
+ "2oC\"$e",
+ "&*6#/q",
+ ":[8v8n",
+ "9-`Ziw",
+ "s{=6N85",
+ "<5`\"]c",
+ "\\o%DyPL",
+ "Flz@S+Vg7",
+ "*3x7nO",
+ "`0;9{b",
+ "6k!EuH@tY",
+ "5Nj?]P",
+ "+]M,h9;",
+ "$g6>@I",
+ "/07OrO)",
+ ":qg!nSs",
+ "$.Gyzf",
+ "OQJ\\Gv",
+ "nP}I<E!f",
+ "&/hZ|p",
+ "#<~Wzr2b5b",
+ "DYrO=5K",
+ "U~TbpW",
+ "I@<k#EpQ",
+ "4Z|5V$",
+ "D);0$}",
+ "Vkt2WSxV\"H",
+ "|%}Yap",
+ "}B1}/X",
+ "I:l:3$",
+ "<MC)}a",
+ "2V3y\u001fQ",
+ "<^aQK\u001f^",
+ "G<=oLrG",
+ "!YByU.",
+ "?cv1Ed4",
+ "/+C8-ue",
+ "g&0y<%-4",
+ "STx-mB",
+ "epW\"bVm6",
+ ",;oNp)",
+ "u`OS3C~",
+ "yw/D@#",
+ "C{/KH2",
+ "CL8NQ5",
+ "Lute0X^",
+ "Y/QtDd'",
+ "yAzCHx",
+ "E?$>.\"",
+ "<f}+^f\"",
+ "L\"z>G~iG",
+ "=zLO< *.X#}",
+ "I\"S-pY\"",
+ "lCaa*p",
+ "p!$4zg",
+ "?/O0Rw",
+ "Czvc/{3",
+ "F]kYd ",
+ ":=W\u001f\u001fd",
+ "ykl &3",
+ "7~E]*.h",
+ "^]~SRg",
+ "L}$jEQ",
+ "&^3s.1",
+ "n<*;JW",
+ "gp^q3q",
+ "8K\\{Q5",
+ "o)3^e0",
+ "28{POn",
+ "z.2Od|;",
+ "h&)4;BbS",
+ "J=oF>O7",
+ "g-n5pl&",
+ "<+?_l8",
+ "P\\QoihPzo",
+ "'GrXn>",
+ "bis~Cq9",
+ "nIwmQ/mKv:",
+ "V>{onu",
+ "+v^}uU",
+ ";vJQdpD-",
+ "Gc[k\u001f3",
+ "iER4lc",
+ ".o0Z\\`",
+ "ki*XJaq",
+ "kPxDga'Gp]",
+ "cC-5|Q",
+ "CFC;WnvW",
+ "%OLGFl^",
+ "MlV/3T}K",
+ "\u001fz9m=w",
+ "_($_z)r",
+ "lJz,Fw",
+ "NLN|\u001fl'",
+ "!j&'F9",
+ "O_1UY~;`",
+ "-r_6HJv",
+ "b`q\\x\\dq",
+ "{h}\\a%",
+ ">~9W3J",
+ "ffV,6H",
+ "Y6(qJV",
+ "xsCx=U",
+ "_bq\u001fiq",
+ "mzEtq{",
+ "vD#o3K",
+ "TSilz\"a",
+ "<h HT",
+ "0hnj+g(",
+ "\u001f@;aBk",
+ "0KN'@ X",
+ "5frU7R",
+ "W2K?\\U",
+ "YTdo/-",
+ "J7yepb",
+ "8q-h-y",
+ "j`<z^(8",
+ "q}@DhHC$",
+ "F8!u$1-",
+ "q[nnO&J",
+ "Y<?^({",
+ "-<+qC(",
+ "k #U\\4h",
+ "|FN-/^",
+ "PDgbzL",
+ "FnB:W'",
+ "~v:Us&",
+ "$j]X:t",
+ "M)E7ZK0",
+ "7L{Si^H",
+ "T|QW5m",
+ "IJ^'A1R<",
+ "7cpF.#",
+ "thmuo)",
+ "tQ@1?\u001f",
+ "?3_\u001f.i/",
+ "(j9:-^",
+ "h,3pxp",
+ "UI\"^gE",
+ ")el=6Dl7",
+ ";U%}nQojL",
+ "%Lz4p+",
+ "m1d2xJ EO",
+ "^? CNt$",
+ "A-H`n#",
+ "qFaw$Q",
+ "&?8q)Y",
+ "bWI7.-",
+ "GSVW w",
+ "N`l~?E",
+ "\\^~rs{:",
+ ">{yN,L:m",
+ "w}QrU=D",
+ "chg1xI",
+ "xgi?kq",
+ "`%hx4d",
+ ")uj| |",
+ "lX=BXU",
+ "odzxo I",
+ "B`<qoM",
+ "J)zqoN",
+ "*Ix,93",
+ "kr~J-c",
+ "6hL[QTr",
+ "@^]mFP",
+ "Y'LflI",
+ "rCIAJh",
+ "+\\&zLbgNu",
+ "ilU=}L]",
+ "&I!qC@w",
+ "(|'zp[",
+ "A^^\\lV",
+ "Ye(36#8",
+ "(_5C+D",
+ "Ya\"pN#",
+ "gV[A=9",
+ "j{e S4",
+ "eiipak",
+ "-%OSY@",
+ "jBr\\a~",
+ "f,MF*S",
+ "t*K6X]",
+ "KdBA&'",
+ "q7#AN+",
+ ">c:BTV[",
+ ",o$#s9",
+ "it9\\PST",
+ "DQY>3G<",
+ "tSW\"6\u001f",
+ "?+uN~;o",
+ "><^]+w",
+ "egi+fU",
+ "-@M^Nt",
+ "bK'nZX",
+ "?p<+=hZ",
+ "?96j[Eh",
+ "ttYo%$",
+ "&9}_hm'x",
+ "k4z7#8",
+ "p:->%[",
+ "e#B@idEo",
+ ".o&~Fh}XSCK",
+ "]IV`KQ/[",
+ "~eC(/{d",
+ "\\Gx:*i.",
+ "-\\/_2f>",
+ "8U0 ACJ",
+ "+ID%GWd7",
+ "zv2>N)",
+ "Up@xk17",
+ "t$t#t$l",
+ "D$t#D$h",
+ "D$t+D$\\",
+ ".)D$H)",
+ "s`)L$4",
+ "D$t+D$\\",
+ "\u001f)D$H)",
+ "9l$\\w_",
+ "XPTPSW",
+ "wwwwwww",
+ "KERNEL32.DLL",
+ "msvcrt.dll",
+ "LoadLibraryA",
+ "GetProcAddress",
+ "VirtualProtect",
+ "VirtualAlloc",
+ "VirtualFree",
+ "ExitProcess",
+ "IDI_MAIN_ICON"
+ ],
+ "target": {
+ "category": "file",
+ "file": {
+ "crc32": "33F8BB85",
+ "md5": "9fbdc5eca123e81571e8966b9b4e4a1e",
+ "name": "Win32.DarkTequila.exe",
+ "path": "/home/jean/.cuckoo/storage/binaries/dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47",
+ "sha1": "7a5b7c5378e0afcc77098a87358e4f6a032d3b00",
+ "sha256": "dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47",
+ "sha512": "13aa9eb138a716ce9b5e90806c34b5b724a0be78bb747a50b28e9c48e6eed317ff0b46652dc1fcabb973d6a6a5e3a770eea85cfd8b5a0e723f58f4edce2bdd9e",
+ "size": 877568,
+ "ssdeep": null,
+ "type": "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed",
+ "urls": [],
+ "yara": [
+ {
+ "meta": { "description": "(no description)" },
+ "name": "loki",
+ "offsets": { "var1": [[91, 0]] },
+ "strings": ["Y2Fubm90"]
+ }
+ ]
+ }
+ },
+ "virustotal": {
+ "md5": "9fbdc5eca123e81571e8966b9b4e4a1e",
+ "normalized": [
+ "AIDetectVM",
+ "malware2",
+ "malicious",
+ "high confidence",
+ "score",
+ "Dynamer",
+ "GenericRXAA",
+ "Unsafe",
+ "Kryptik",
+ "DarkTequila",
+ "Graftor",
+ "TSPY",
+ "Eldorado",
+ "DarkTeq",
+ "Bancos",
+ "dyfxok",
+ "Gencirc",
+ "EBT@611gnb",
+ "XPACK",
+ "Gen3",
+ "DownLoader17",
+ "cobra",
+ "R + W32",
+ "Crastic",
+ "Static AI",
+ "Suspicious PE",
+ "Strictor",
+ "ai score=100",
+ "SGeneric",
+ "Mydoom",
+ "trya",
+ "BScope",
+ "EBTT",
+ "x7t89GcJVs8",
+ "Genetic",
+ "confidence",
+ "100%"
+ ],
+ "permalink": "https://www.virustotal.com/gui/file/dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47/detection/f-dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47-1605577853",
+ "positives": 62,
+ "resource": "9fbdc5eca123e81571e8966b9b4e4a1e",
+ "response_code": 1,
+ "scan_date": "2020-11-17 01:50:53",
+ "scan_id": "dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47-1605577853",
+ "scans": {
+ "ALYac": {
+ "detected": true,
+ "normalized": ["DarkTequila"],
+ "result": "Trojan.Agent.DarkTequila",
+ "update": "20201116",
+ "version": "1.1.1.5"
+ },
+ "APEX": {
+ "detected": true,
+ "normalized": ["Malicious"],
+ "result": "Malicious",
+ "update": "20201116",
+ "version": "6.98"
+ },
+ "AVG": {
+ "detected": true,
+ "normalized": [],
+ "result": "Win32:Malware-gen",
+ "update": "20201117",
+ "version": "20.10.5736.0"
+ },
+ "Acronis": {
+ "detected": true,
+ "normalized": [],
+ "result": "suspicious",
+ "update": "20201023",
+ "version": "1.1.1.80"
+ },
+ "Ad-Aware": {
+ "detected": true,
+ "normalized": ["Graftor"],
+ "result": "Gen:Variant.Graftor.129365",
+ "update": "20201117",
+ "version": "3.0.16.117"
+ },
+ "AegisLab": {
+ "detected": true,
+ "normalized": ["DarkTequila", "trya"],
+ "result": "Trojan.Win32.DarkTequila.trya",
+ "update": "20201117",
+ "version": "4.2"
+ },
+ "AhnLab-V3": {
+ "detected": true,
+ "normalized": [],
+ "result": "Trojan/Win32.HDC.C138160",
+ "update": "20201116",
+ "version": "3.19.1.10100"
+ },
+ "Alibaba": {
+ "detected": true,
+ "normalized": ["DarkTequila"],
+ "result": "Worm:Win32/DarkTequila.7550016f",
+ "update": "20190527",
+ "version": "0.3.0.5"
+ },
+ "Antiy-AVL": {
+ "detected": true,
+ "normalized": ["SGeneric"],
+ "result": "Trojan/Win32.SGeneric",
+ "update": "20201116",
+ "version": "3.0.0.1"
+ },
+ "Arcabit": {
+ "detected": true,
+ "normalized": ["Graftor"],
+ "result": "Trojan.Graftor.D1F955",
+ "update": "20201116",
+ "version": "1.0.0.881"
+ },
+ "Avast": {
+ "detected": true,
+ "normalized": [],
+ "result": "Win32:Malware-gen",
+ "update": "20201117",
+ "version": "20.10.5736.0"
+ },
+ "Avira": {
+ "detected": true,
+ "normalized": ["XPACK", "Gen3"],
+ "result": "TR/Crypt.XPACK.Gen3",
+ "update": "20201116",
+ "version": "8.3.3.8"
+ },
+ "Baidu": {
+ "detected": false,
+ "normalized": [],
+ "result": null,
+ "update": "20190318",
+ "version": "1.0.0.2"
+ },
+ "BitDefender": {
+ "detected": true,
+ "normalized": ["Graftor"],
+ "result": "Gen:Variant.Graftor.129365",
+ "update": "20201116",
+ "version": "7.2"
+ },
+ "BitDefenderTheta": {
+ "detected": true,
+ "normalized": [],
+ "result": "AI:Packer.519AA5961F",
+ "update": "20201113",
+ "version": "7.2.37796.0"
+ },
+ "Bkav": {
+ "detected": true,
+ "normalized": ["AIDetectVM", "malware2"],
+ "result": "W32.AIDetectVM.malware2",
+ "update": "20201116",
+ "version": "1.3.0.9899"
+ },
+ "CAT-QuickHeal": {
+ "detected": true,
+ "normalized": ["Dynamer"],
+ "result": "Trojan.Dynamer.8198",
+ "update": "20201116",
+ "version": "14.00"
+ },
+ "CMC": {
+ "detected": false,
+ "normalized": [],
+ "result": null,
+ "update": "20201116",
+ "version": "2.7.2019.1"
+ },
+ "ClamAV": {
+ "detected": false,
+ "normalized": [],
+ "result": null,
+ "update": "20201116",
+ "version": "0.102.3.0"
+ },
+ "Comodo": {
+ "detected": true,
+ "normalized": ["EBT@611gnb"],
+ "result": "TrojWare.Win32.Crypt.EBT@611gnb",
+ "update": "20201116",
+ "version": "32996"
+ },
+ "CrowdStrike": {
+ "detected": true,
+ "normalized": ["malicious", "confidence", "100%"],
+ "result": "win/malicious_confidence_100% (W)",
+ "update": "20190702",
+ "version": "1.0"
+ },
+ "Cybereason": {
+ "detected": true,
+ "normalized": ["malicious"],
+ "result": "malicious.ca123e",
+ "update": "20190616",
+ "version": "1.2.449"
+ },
+ "Cylance": {
+ "detected": true,
+ "normalized": ["Unsafe"],
+ "result": "Unsafe",
+ "update": "20201117",
+ "version": "2.3.1.101"
+ },
+ "Cynet": {
+ "detected": true,
+ "normalized": ["Malicious", "score"],
+ "result": "Malicious (score: 100)",
+ "update": "20201115",
+ "version": "4.0.0.24"
+ },
+ "Cyren": {
+ "detected": true,
+ "normalized": ["Eldorado"],
+ "result": "W32/S-91f5258d!Eldorado",
+ "update": "20201116",
+ "version": "6.3.0.2"
+ },
+ "DrWeb": {
+ "detected": true,
+ "normalized": ["DownLoader17"],
+ "result": "Trojan.DownLoader17.30288",
+ "update": "20201116",
+ "version": "7.0.49.9080"
+ },
+ "ESET-NOD32": {
+ "detected": true,
+ "normalized": ["Kryptik", "EBTT"],
+ "result": "a variant of Win32/Kryptik.EBTT",
+ "update": "20201117",
+ "version": "22331"
+ },
+ "Elastic": {
+ "detected": true,
+ "normalized": ["malicious", "high confidence"],
+ "result": "malicious (high confidence)",
+ "update": "20201030",
+ "version": "4.0.12"
+ },
+ "Emsisoft": {
+ "detected": true,
+ "normalized": ["Graftor"],
+ "result": "Gen:Variant.Graftor.129365 (B)",
+ "update": "20201116",
+ "version": "2018.12.0.1641"
+ },
+ "F-Secure": {
+ "detected": true,
+ "normalized": ["XPACK", "Gen3"],
+ "result": "Trojan.TR/Crypt.XPACK.Gen3",
+ "update": "20201116",
+ "version": "12.0.86.52"
+ },
+ "FireEye": {
+ "detected": true,
+ "normalized": [],
+ "result": "Generic.mg.9fbdc5eca123e815",
+ "update": "20201116",
+ "version": "32.36.1.0"
+ },
+ "Fortinet": {
+ "detected": true,
+ "normalized": ["Kryptik", "EBTT"],
+ "result": "W32/Kryptik.EBTT!tr",
+ "update": "20201116",
+ "version": "6.2.142.0"
+ },
+ "GData": {
+ "detected": true,
+ "normalized": ["Graftor"],
+ "result": "Gen:Variant.Graftor.129365",
+ "update": "20201117",
+ "version": "A:25.27695B:27.20909"
+ },
+ "Gridinsoft": {
+ "detected": true,
+ "normalized": ["Mydoom"],
+ "result": "Worm.Win32.Mydoom.ka!i",
+ "update": "20201116",
+ "version": "1.0.17.106"
+ },
+ "Ikarus": {
+ "detected": true,
+ "normalized": [],
+ "result": "Trojan.Win32.Crypt",
+ "update": "20201116",
+ "version": "0.1.5.2"
+ },
+ "Invincea": {
+ "detected": true,
+ "normalized": ["R + W32", "Crastic"],
+ "result": "Mal/Generic-R + W32/Crastic-A",
+ "update": "20201117",
+ "version": "1.0.2.0"
+ },
+ "Jiangmin": {
+ "detected": true,
+ "normalized": ["Strictor"],
+ "result": "Variant.Strictor.h",
+ "update": "20201116",
+ "version": "16.0.100"
+ },
+ "K7AntiVirus": {
+ "detected": true,
+ "normalized": [],
+ "result": "Trojan ( 0004a2ea1 )",
+ "update": "20201116",
+ "version": "11.150.35741"
+ },
+ "K7GW": {
+ "detected": true,
+ "normalized": [],
+ "result": "Trojan ( 0004a2ea1 )",
+ "update": "20201116",
+ "version": "11.150.35742"
+ },
+ "Kaspersky": {
+ "detected": true,
+ "normalized": ["DarkTequila"],
+ "result": "Trojan.Win32.DarkTequila.d",
+ "update": "20201117",
+ "version": "15.0.1.13"
+ },
+ "Kingsoft": {
+ "detected": false,
+ "normalized": [],
+ "result": null,
+ "update": "20201117",
+ "version": "2013.8.14.323"
+ },
+ "MAX": {
+ "detected": true,
+ "normalized": ["ai score=100"],
+ "result": "malware (ai score=100)",
+ "update": "20201117",
+ "version": "2019.9.16.1"
+ },
+ "Malwarebytes": {
+ "detected": true,
+ "normalized": [],
+ "result": "Trojan.Downloader.FB",
+ "update": "20201117",
+ "version": "3.6.4.335"
+ },
+ "MaxSecure": {
+ "detected": false,
+ "normalized": [],
+ "result": null,
+ "update": "20201116",
+ "version": "1.0.0.1"
+ },
+ "McAfee": {
+ "detected": true,
+ "normalized": ["GenericRXAA"],
+ "result": "GenericRXAA-FA!9FBDC5ECA123",
+ "update": "20201116",
+ "version": "6.0.6.653"
+ },
+ "McAfee-GW-Edition": {
+ "detected": true,
+ "normalized": [],
+ "result": "BehavesLike.Win32.Generic.cc",
+ "update": "20201116",
+ "version": "v2019.1.2+3728"
+ },
+ "MicroWorld-eScan": {
+ "detected": true,
+ "normalized": ["Graftor"],
+ "result": "Gen:Variant.Graftor.129365",
+ "update": "20201116",
+ "version": "14.0.409.0"
+ },
+ "Microsoft": {
+ "detected": true,
+ "normalized": ["Crastic"],
+ "result": "Worm:Win32/Crastic!rfn",
+ "update": "20201116",
+ "version": "1.1.17600.5"
+ },
+ "NANO-Antivirus": {
+ "detected": true,
+ "normalized": ["dyfxok"],
+ "result": "Trojan.Win32.Dwn.dyfxok",
+ "update": "20201116",
+ "version": "1.0.146.25233"
+ },
+ "Paloalto": {
+ "detected": true,
+ "normalized": [],
+ "result": "generic.ml",
+ "update": "20201117",
+ "version": "1.0"
+ },
+ "Panda": {
+ "detected": true,
+ "normalized": ["Genetic"],
+ "result": "Trj/Genetic.gen",
+ "update": "20201116",
+ "version": "4.6.4.2"
+ },
+ "Qihoo-360": {
+ "detected": true,
+ "normalized": [],
+ "result": "Win32/Trojan.160",
+ "update": "20201117",
+ "version": "1.0.0.1120"
+ },
+ "Rising": {
+ "detected": false,
+ "normalized": [],
+ "result": null,
+ "update": "20201117",
+ "version": "25.0.0.26"
+ },
+ "SUPERAntiSpyware": {
+ "detected": false,
+ "normalized": [],
+ "result": null,
+ "update": "20201113",
+ "version": "5.6.0.1032"
+ },
+ "Sangfor": {
+ "detected": true,
+ "normalized": [],
+ "result": "Malware",
+ "update": "20201116",
+ "version": "1.0"
+ },
+ "SentinelOne": {
+ "detected": true,
+ "normalized": ["Static AI", "Suspicious PE"],
+ "result": "Static AI - Suspicious PE",
+ "update": "20201105",
+ "version": "4.7.0.18"
+ },
+ "Sophos": {
+ "detected": true,
+ "normalized": ["Crastic"],
+ "result": "W32/Crastic-A",
+ "update": "20201117",
+ "version": "4.98.0"
+ },
+ "Symantec": {
+ "detected": true,
+ "normalized": ["DarkTeq"],
+ "result": "Backdoor.DarkTeq",
+ "update": "20201116",
+ "version": "1.13.0.0"
+ },
+ "TACHYON": {
+ "detected": false,
+ "normalized": [],
+ "result": null,
+ "update": "20201117",
+ "version": "2020-11-17.01"
+ },
+ "Tencent": {
+ "detected": true,
+ "normalized": ["Gencirc"],
+ "result": "Malware.Win32.Gencirc.10b3f5ed",
+ "update": "20201117",
+ "version": "1.0.0.1"
+ },
+ "TotalDefense": {
+ "detected": true,
+ "normalized": ["Bancos"],
+ "result": "Win32/Bancos_i",
+ "update": "20201117",
+ "version": "37.1.62.1"
+ },
+ "TrendMicro": {
+ "detected": true,
+ "normalized": ["TSPY", "DARKTEQUILA"],
+ "result": "TSPY_DARKTEQUILA.A",
+ "update": "20201117",
+ "version": "11.0.0.1006"
+ },
+ "TrendMicro-HouseCall": {
+ "detected": true,
+ "normalized": ["TSPY", "DARKTEQUILA"],
+ "result": "TSPY_DARKTEQUILA.A",
+ "update": "20201117",
+ "version": "10.0.0.1040"
+ },
+ "VBA32": {
+ "detected": true,
+ "normalized": ["BScope"],
+ "result": "BScope.Worm.Autorun",
+ "update": "20201116",
+ "version": "4.4.1"
+ },
+ "VIPRE": {
+ "detected": true,
+ "normalized": ["cobra"],
+ "result": "Trojan.Win32.Generic.pak!cobra",
+ "update": "20201117",
+ "version": "88258"
+ },
+ "ViRobot": {
+ "detected": false,
+ "normalized": [],
+ "result": null,
+ "update": "20201116",
+ "version": "2014.3.20.0"
+ },
+ "Webroot": {
+ "detected": true,
+ "normalized": [],
+ "result": "W32.Trojan.Gen",
+ "update": "20201117",
+ "version": "1.0.0.403"
+ },
+ "Yandex": {
+ "detected": true,
+ "normalized": ["Kryptik", "x7t89GcJVs8"],
+ "result": "Trojan.Kryptik!x7t89GcJVs8",
+ "update": "20201114",
+ "version": "5.5.2.24"
+ },
+ "Zillya": {
+ "detected": true,
+ "normalized": ["Kryptik"],
+ "result": "Trojan.Kryptik.Win32.820724",
+ "update": "20201116",
+ "version": "2.0.0.4223"
+ },
+ "ZoneAlarm": {
+ "detected": true,
+ "normalized": ["DarkTequila"],
+ "result": "Trojan.Win32.DarkTequila.d",
+ "update": "20201117",
+ "version": "1.0"
+ },
+ "Zoner": {
+ "detected": false,
+ "normalized": [],
+ "result": null,
+ "update": "20201116",
+ "version": "0.0.0.0"
+ },
+ "eGambit": {
+ "detected": true,
+ "normalized": ["Unsafe", "Score"],
+ "result": "Unsafe.AI_Score_64%",
+ "update": "20201117",
+ "version": null
+ }
+ },
+ "sha1": "7a5b7c5378e0afcc77098a87358e4f6a032d3b00",
+ "sha256": "dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47",
+ "summary": {
+ "permalink": "https://www.virustotal.com/gui/file/dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47/detection/f-dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47-1605577853",
+ "positives": 62,
+ "scan_date": "2020-11-17 01:50:53"
+ },
+ "total": 72,
+ "verbose_msg": "Scan finished, information embedded"
+ }
+}
--
GitLab