From 63608f39553f72f4ca5083b2622dd07c128e9e24 Mon Sep 17 00:00:00 2001 From: Yacine Elhamer Date: Tue, 11 Jun 2024 01:37:04 +0100 Subject: [PATCH 1/2] add test sample for drakvuf feature extractor --- .../drakmon.log | 4001 +++++++++++++++++ 1 file changed, 4001 insertions(+) create mode 100644 dynamic/drakvuf/93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795/drakmon.log diff --git a/dynamic/drakvuf/93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795/drakmon.log b/dynamic/drakvuf/93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795/drakmon.log new file mode 100644 index 0000000..4b26434 --- /dev/null +++ b/dynamic/drakvuf/93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795/drakmon.log @@ -0,0 +1,4001 @@ +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\\resources.pri", "DllBase": "0xed50000", "PID": 3888} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\Desktop\\malware.exe", "DllBase": "0x121a0000", "PID": 3888} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\Desktop\\malware.exe", "DllBase": "0x121a0000", "PID": 3888} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel32.dll", "DllBase": "0x7ffbc2640000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"SetUnhandledExceptionFilter": 132480, "CreateProcessInternalW": 241936, "MoveFileWithProgressW": 246112, "MoveFileWithProgressTransactedW": 143376, "CreateDirectoryW": 152240, "CreateDirectoryExW": 241552, "RemoveDirectoryA": 153232, "RemoveDirectoryW": 153248, "FindFirstFileExA": 152464, "FindFirstFileExW": 152480, "FindNextFileW": 152592, "CopyFileA": 402736, "CopyFileW": 153936, "CopyFileExW": 134720, "DeleteFileA": 152320, "DeleteFileW": 152336, "GetDiskFreeSpaceExA": 152672, "GetDiskFreeSpaceExW": 152688, "GetDiskFreeSpaceA": 152656, "GetDiskFreeSpaceW": 152704, "GetVolumeNameForVolumeMountPointW": 151536, "GetVolumeInformationByHandleW": 153056, "FindFirstChangeNotificationW": 152432, "RegOpenKeyExA": 247856, "RegOpenKeyExW": 135552, "RegCreateKeyExA": 246992, "RegCreateKeyExW": 247024, "RegEnumKeyExA": 247280, "RegEnumKeyExW": 247360, "RegEnumValueA": 247440, "RegEnumValueW": 247520, "RegSetValueExA": 248368, "RegSetValueExW": 248400, "RegQueryValueExA": 248144, "RegQueryValueExW": 248176, "RegDeleteValueA": 247184, "RegDeleteValueW": 247216, "RegQueryInfoKeyA": 247888, "RegQueryInfoKeyW": 248016, "RegCloseKey": 149920, "RegNotifyChangeKeyValue": 247824, "CreateToolhelp32Snapshot": 164368, "Process32FirstW": 142864, "Process32NextW": 142256, "WaitForDebugEvent": 250096, "ReadProcessMemory": 117872, "WriteProcessMemory": 250608, "VirtualProtectEx": 250064, "CreateThread": 113968, "CreateRemoteThread": 242064, "SetErrorMode": 118672, "DeviceIoControl": 88944, "IsDebuggerPresent": 133424, "WriteConsoleA": 154416, "WriteConsoleW": 154432, "GetComputerNameA": 109200, "GetComputerNameW": 109552, "GetSystemInfo": 123696, "SystemTimeToTzSpecificLocalTime": 141616, "GlobalMemoryStatus": 118912, "GlobalMemoryStatusEx": 134320, "GetLocalTime": 124832, "GetSystemTime": 113936, "GetSystemTimeAsFileTime": 99088, "GetTickCount": 89120, "GetTickCount64": 90896, "VirtualFree": 108736}, "DllBase": "0x7ffbc2640000", "DllName": "\\Windows\\System32\\kernel32.dll", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\\resources.pri", "DllBase": "0xed50000", "PID": 3888} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db", "DllBase": "0x3130000", "PID": 3888} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db", "DllBase": "0xe590000", "PID": 3888} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"LdrLoadDll": 92688, "RtlCreateUserProcess": 924032, "DbgUiWaitStateChange": 838720, "RtlCreateUserThread": 352400, "LdrGetDllHandle": 92272, "LdrGetProcedureAddress": 531408, "RtlDecompressBuffer": 1005776, "RtlCompressBuffer": 534688}, "DllBase": "0x7ffbc3930000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntdll.dll", "DllBase": "0x7ffbc3930000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\resources.pri", "DllBase": "0xed50000", "PID": 3888} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcrt.dll", "DllBase": "0x7ffbc2c30000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"system": 97872}, "DllBase": "0x7ffbc2c30000", "DllName": "\\Windows\\System32\\msvcrt.dll", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"LdrLoadDll": 92688, "RtlCreateUserProcess": 924032, "DbgUiWaitStateChange": 838720, "RtlCreateUserThread": 352400, "LdrGetDllHandle": 92272, "LdrGetProcedureAddress": 531408, "RtlDecompressBuffer": 1005776, "RtlCompressBuffer": 534688}, "DllBase": "0x7ffbc3930000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntdll.dll", "DllBase": "0x7ffbc3930000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\advapi32.dll", "DllBase": "0x7ffbc36c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dllhost.exe", "DllBase": "0x7ff74c210000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dllhost.exe", "DllBase": "0x7ff74c210000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dllhost.exe", "DllBase": "0x7ff74c210000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dllhost.exe", "DllBase": "0x7ff74c210000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel32.dll", "DllBase": "0x7ffbc2640000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\resources.pri", "DllBase": "0xed50000", "PID": 3888} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db", "DllBase": "0x3360000", "PID": 3888} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"CryptAcquireContextA": 94000, "CryptAcquireContextW": 94320, "RegOpenKeyExA": 93568, "RegOpenKeyExW": 90080, "RegCreateKeyExA": 96544, "RegCreateKeyExW": 93184, "RegDeleteKeyA": 16528, "RegDeleteKeyW": 93216, "RegEnumKeyW": 91296, "RegEnumKeyExA": 16624, "RegEnumKeyExW": 88560, "RegEnumValueA": 202176, "RegEnumValueW": 91968, "RegSetValueExA": 16704, "RegSetValueExW": 94080, "RegQueryValueExA": 93872, "RegQueryValueExW": 90048, "RegDeleteValueA": 17456, "RegDeleteValueW": 104080, "RegQueryInfoKeyA": 17056, "RegQueryInfoKeyW": 90624, "RegCloseKey": 92048, "RegNotifyChangeKeyValue": 96864, "CreateProcessWithLogonW": 304352, "CreateProcessWithTokenW": 17488, "InitiateShutdownW": 104112, "InitiateSystemShutdownW": 281520, "InitiateSystemShutdownExW": 290480, "LookupPrivilegeValueW": 63856, "GetCurrentHwProfileW": 94368, "GetUserNameA": 304480, "GetUserNameW": 91376, "LsaOpenPolicy": 113712, "SaferIdentifyLevel": 46944, "OpenSCManagerA": 97648, "OpenSCManagerW": 96448, "CreateServiceA": 197216, "CreateServiceW": 197360, "OpenServiceA": 201664, "OpenServiceW": 96992, "StartServiceA": 203056, "StartServiceW": 119584, "ControlService": 196960, "DeleteService": 199648, "CryptDecrypt": 198880, "CryptEncrypt": 199008, "CryptHashData": 93120, "CryptDecryptMessage": 198880, "CryptEncryptMessage": 199008, "CryptExportKey": 91904, "CryptGenKey": 199168, "CryptCreateHash": 92080, "CryptEnumProvidersA": 199104, "CryptEnumProvidersW": 199136}, "DllBase": "0x7ffbc36c0000", "DllName": "\\Windows\\System32\\advapi32.dll", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"SetUnhandledExceptionFilter": 132480, "CreateProcessInternalW": 241936, "MoveFileWithProgressW": 246112, "MoveFileWithProgressTransactedW": 143376, "CreateDirectoryW": 152240, "CreateDirectoryExW": 241552, "RemoveDirectoryA": 153232, "RemoveDirectoryW": 153248, "FindFirstFileExA": 152464, "FindFirstFileExW": 152480, "FindNextFileW": 152592, "CopyFileA": 402736, "CopyFileW": 153936, "CopyFileExW": 134720, "DeleteFileA": 152320, "DeleteFileW": 152336, "GetDiskFreeSpaceExA": 152672, "GetDiskFreeSpaceExW": 152688, "GetDiskFreeSpaceA": 152656, "GetDiskFreeSpaceW": 152704, "GetVolumeNameForVolumeMountPointW": 151536, "GetVolumeInformationByHandleW": 153056, "FindFirstChangeNotificationW": 152432, "RegOpenKeyExA": 247856, "RegOpenKeyExW": 135552, "RegCreateKeyExA": 246992, "RegCreateKeyExW": 247024, "RegEnumKeyExA": 247280, "RegEnumKeyExW": 247360, "RegEnumValueA": 247440, "RegEnumValueW": 247520, "RegSetValueExA": 248368, "RegSetValueExW": 248400, "RegQueryValueExA": 248144, "RegQueryValueExW": 248176, "RegDeleteValueA": 247184, "RegDeleteValueW": 247216, "RegQueryInfoKeyA": 247888, "RegQueryInfoKeyW": 248016, "RegCloseKey": 149920, "RegNotifyChangeKeyValue": 247824, "CreateToolhelp32Snapshot": 164368, "Process32FirstW": 142864, "Process32NextW": 142256, "WaitForDebugEvent": 250096, "ReadProcessMemory": 117872, "WriteProcessMemory": 250608, "VirtualProtectEx": 250064, "CreateThread": 113968, "CreateRemoteThread": 242064, "SetErrorMode": 118672, "DeviceIoControl": 88944, "IsDebuggerPresent": 133424, "WriteConsoleA": 154416, "WriteConsoleW": 154432, "GetComputerNameA": 109200, "GetComputerNameW": 109552, "GetSystemInfo": 123696, "SystemTimeToTzSpecificLocalTime": 141616, "GlobalMemoryStatus": 118912, "GlobalMemoryStatusEx": 134320, "GetLocalTime": 124832, "GetSystemTime": 113936, "GetSystemTimeAsFileTime": 99088, "GetTickCount": 89120, "GetTickCount64": 90896, "VirtualFree": 108736}, "DllBase": "0x7ffbc2640000", "DllName": "\\Windows\\System32\\kernel32.dll", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db", "DllBase": "0xea00000", "PID": 3888} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999136.296068", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x4e35", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beb40:\"api-ms-win-core-synch-l1-2-0\"", "Arg3=0x667e2beb88"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.301725", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x4e3b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beb40:\"api-ms-win-core-fibers-l1-1-1\"", "Arg3=0x667e2beb88"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.302886", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x4e46", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beb90:\"api-ms-win-core-fibers-l1-1-1\"", "Arg3=0x667e2bebd8"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.303628", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x4e4e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beb90:\"api-ms-win-core-synch-l1-2-0\"", "Arg3=0x667e2bebd8"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.307961", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x4e73", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2bdfc0:\"api-ms-win-core-localization-l1-2-1\"", "Arg3=0x667e2be008"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.339727", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x4f56", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afde550:\"ntdll.dll\"", "Arg3=0x6f9afde570"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.345409", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x4f9e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afde5b0:\"ntdll.dll\"", "Arg3=0x6f9afde5d0"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.348101", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x4fc0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc3a0392c", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x7ffbc3a4d1e0:\"KERNEL32.DLL\"", "Arg3=0x6f9afdf028"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999136.386294", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x51cb", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beaf0:\"kernel32\"", "Arg3=0x667e2beb38"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.390432", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x51fe", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beaf0:\"api-ms-win-core-string-l1-1-0\"", "Arg3=0x667e2beb38"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.391401", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x520a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beaf0:\"api-ms-win-core-datetime-l1-1-1\"", "Arg3=0x667e2beb38"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.393140", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x5222", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beaf0:\"api-ms-win-core-localization-obsolete-l1-2-0\"", "Arg3=0x667e2beb38"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.400549", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x5286", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e2beb90:\"api-ms-win-core-synch-l1-2-0.dll\"", "Arg3=0x667e2bebb0"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.405164", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x52c3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e2bea40:\"ntdll.dll\"", "Arg3=0x667e2bea60"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.423117", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x537f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e2beb90:\"rpcrt4.dll\"", "Arg3=0x667e2bebb0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dllhost.exe", "DllBase": "0x7ff74c210000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dllhost.exe", "DllBase": "0x7ff74c210000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999136.504969", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x5767", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e2bf7f0:\"api-ms-win-core-synch-l1-2-0.dll\"", "Arg3=0x667e2bf810"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.512961", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x57da", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90bda8", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x50001f", "Arg2=0x667e2bf7a0", "Arg3=0x8", "Arg4=0x0", "Arg5=0x0", "Arg6=0x667e2bf750", "Arg7=0x0", "Arg8=0x667e2bf7d0", "Arg9=0x7ff74b907984"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.514588", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateThread", "EventUID": "0x57ee", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b9079ae", "ReturnValue": "0x11c", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x7ff74b900490", "Arg3=0x0", "Arg4=0x0", "Arg5=0x0", "Arg6=0x0", "Arg7=0x7ff74b909391"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999136.532717", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x58f4", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9afdeba0:\"api-ms-win-core-synch-l1-2-0\"", "Arg3=0x6f9afdebe8"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.534334", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x5907", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9afdeba0:\"api-ms-win-core-fibers-l1-1-1\"", "Arg3=0x6f9afdebe8"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.535761", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x5916", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9afdebf0:\"api-ms-win-core-fibers-l1-1-1\"", "Arg3=0x6f9afdec38"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.536492", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x591e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9afdebf0:\"api-ms-win-core-synch-l1-2-0\"", "Arg3=0x6f9afdec38"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.538358", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x5936", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9afde020:\"api-ms-win-core-localization-l1-2-1\"", "Arg3=0x6f9afde068"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.542974", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x5978", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdebf0:\"api-ms-win-core-synch-l1-2-0.dll\"", "Arg3=0x6f9afdec10"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.547772", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x59b7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdeaa0:\"ntdll.dll\"", "Arg3=0x6f9afdeac0"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.567308", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x5aad", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x0", "Arg3=0x0", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.570977", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x5ad7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90bda8", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x50000f", "Arg2=0x667e67e820", "Arg3=0x18", "Arg4=0x0", "Arg5=0x0", "Arg6=0x667e67e7f0", "Arg7=0x0", "Arg8=0x0", "Arg9=0x7ff74b90465c"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\user32.dll", "DllBase": "0x7ffbc31a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"CreateWindowExA": 15376, "CreateWindowExW": 30496, "FindWindowA": 503872, "FindWindowW": 144880, "FindWindowExA": 12368, "FindWindowExW": 155376, "SendNotifyMessageA": 199568, "SendNotifyMessageW": 168848, "SetWindowLongA": 182352, "SetWindowLongW": 69392, "SetWindowLongPtrA": 182448, "SetWindowLongPtrW": 47040, "SetWindowsHookExA": 324864, "SetWindowsHookExW": 176832, "UnhookWindowsHookEx": 176672, "ExitWindowsEx": 180000, "GetSystemMetrics": 134848, "GetCursorPos": 163136, "GetAsyncKeyState": 147152, "SystemParametersInfoA": 166592, "SystemParametersInfoW": 144208, "GetLastInputInfo": 158240, "MsgWaitForMultipleObjectsEx": 132960}, "DllBase": "0x7ffbc31a0000", "DllName": "\\Windows\\System32\\user32.dll", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999136.617224", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x5cb7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdebf0:\"rpcrt4.dll\"", "Arg3=0x6f9afdec10"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcss.dll", "DllBase": "0x1d073250000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999136.635572", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x5da7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdf160:\"C:\\\\Windows\\\\system32\\\\rpcss.dll\"", "Arg3=0x6f9afdf190"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcrt.dll", "DllBase": "0x7ffbc2c30000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"system": 97872}, "DllBase": "0x7ffbc2c30000", "DllName": "\\Windows\\System32\\msvcrt.dll", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999136.695190", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6077", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67e6d0:\"gdi32full.dll\"", "Arg3=0x667e67e6f0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x1ba2bcb0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999136.718087", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6156", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67dd50:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x667e67dd70"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.720473", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "DeviceIoControl", "EventUID": "0x6173", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc17df10d", "ReturnValue": "0x1", "Arguments": ["Arg0=0x108", "Arg1=0x390008", "Arg2=0x0", "Arg3=0x0", "Arg4=0x6f9afde158", "Arg5=0x6f00000030", "Arg6=0x6f9afde138", "Arg7=0x0", "Arg8=0x0", "Arg9=0x7ffbc17d83a4"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999136.725753", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x61a4", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdf440:\"combase.dll\"", "Arg3=0x6f9afdf460"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.727437", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x61b8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67d1f0:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x667e67d210"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.728228", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x61c2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9", "Arg1=0x0", "Arg2=0x667e67dd40:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x667e67dd88"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.728584", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x61c6", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67dfd0:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x667e67dff0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-US\\Conhost.exe.mui", "DllBase": "0x1ba2bcb0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999136.782679", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6493", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67dc20:\"gdi32.dll\"", "Arg3=0x667e67dc40"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999136.824531", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x66de", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x6f9afde840:\"rpcrt4.dll\"", "Arg3=0x6f9afde888"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.852755", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x687a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67dde0:\"ntdll.dll\"", "Arg3=0x667e67de00"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.858678", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x68d0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67ed00:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67ed48"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.859202", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x68d3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e67ed00:\"user32.dll\"", "Arg3=0x667e67ed48"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.859937", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x68da", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67ed10:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67ed58"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.860432", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x68dd", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67ec00:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67ec48"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.878531", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x69e2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67ebd0:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67ec18"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.933318", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6cc1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afde1b0:\"ntdll.dll\"", "Arg3=0x6f9afde1d0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\shell32.dll", "DllBase": "0x7ffbc1990000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"SHGetFolderPathW": 711520, "SHGetKnownFolderPath": 804704, "SHGetFileInfoW": 356832, "ShellExecuteExW": 292000}, "DllBase": "0x7ffbc1990000", "DllName": "\\Windows\\System32\\shell32.dll", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999136.954837", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6dc0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67d730:\"api-ms-win-core-synch-l1-2-0.dll\"", "Arg3=0x667e67d750"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.956060", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6dcf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67d5b0:\"advapi32.dll\"", "Arg3=0x667e67d5d0"]} +{"Plugin": "apimon", "TimeStamp": "1716999136.961110", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6e17", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67d670:\"ntdll.dll\"", "Arg3=0x667e67d690"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999136.975855", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x6ec8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9", "Arg1=0x0", "Arg2=0x667e67e240:\"C:\\\\Windows\\\\system32\\\\uxtheme.dll\"", "Arg3=0x667e67e288"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcss.dll", "DllBase": "0x1d0732b0000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999137.031823", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x719a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afde910:\"C:\\\\Windows\\\\system32\\\\rpcss.dll\"", "Arg3=0x6f9afde940"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999137.052403", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x728e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1a314af", "ReturnValue": "0x10", "Arguments": ["Arg0=0x32"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.052933", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x7292", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1a314c4", "ReturnValue": "0x10", "Arguments": ["Arg0=0x31"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.053501", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x7296", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1a314d9", "ReturnValue": "0x20", "Arguments": ["Arg0=0xc"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.053963", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x729a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1a314ee", "ReturnValue": "0x20", "Arguments": ["Arg0=0xb"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.057960", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x72b6", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e67d600:\"kernel32.dll\"", "Arg3=0x667e67d648"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\Globalization\\Sorting\\SortDefault.nls", "DllBase": "0x1ba2d6b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\Desktop\\malware.exe", "DllBase": "0x2bb60000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.066822", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x730f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67cc00:\"ntdll.dll\"", "Arg3=0x667e67cc20"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999137.071363", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x7347", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67ebc0:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67ec08"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.071832", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x734b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e67ebc0:\"user32.dll\"", "Arg3=0x667e67ec08"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.072631", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x7354", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67e920:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67e968"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999137.097596", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x7496", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afde930:\"combase.dll\"", "Arg3=0x6f9afde950"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.182672", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x7835", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdf130:\"combase.dll\"", "Arg3=0x6f9afdf160"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.191545", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "CreateThread", "EventUID": "0x784a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc289cac4", "ReturnValue": "0x178", "Arguments": ["Arg0=0x0", "Arg1=0x8000", "Arg2=0x7ffbc28e2ce0", "Arg3=0x1d07307f850", "Arg4=0x1d000000000", "Arg5=0x6f9afdf1b0", "Arg6=0x1574f454d", "Arg7=0x134"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.204576", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateThread", "EventUID": "0x78f4", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b8f48ca", "ReturnValue": "0x1a4", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x7ff74b90b670", "Arg3=0x1ba2bd034c0", "Arg4=0x1ba00000000", "Arg5=0x0", "Arg6=0x0", "Arg7=0x7ff74b8f44e7"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.205372", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x78fc", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67ec50:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67ec98"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.206976", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateThread", "EventUID": "0x7910", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90e082", "ReturnValue": "0x1a8", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x7ff74b8f2ea0", "Arg3=0x0", "Arg4=0x7ffb00000000", "Arg5=0x667e67ed18", "Arg6=0x0", "Arg7=0x7ff74b8f45bc"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x1ba2e0f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.233781", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x7a39", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b8f3f6c", "ReturnValue": "0x10", "Arguments": ["Arg0=0x32"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.234219", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x7a3d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b8f3f7f", "ReturnValue": "0x10", "Arguments": ["Arg0=0x31"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.236645", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x7a58", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6ffa98", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.237362", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x7a60", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6ffa98", "Arg3=0x0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.239723", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x7a7c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6ffa98", "Arg3=0x0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.315158", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x7e1f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe1b0:\"api-ms-win-core-synch-l1-2-0.dll\"", "Arg3=0x667e6fe1d0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ole32.dll", "DllBase": "0x1ba2e0f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.359100", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x7efb", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe220:\"ext-ms-win-ole32-oleautomation-l1-1-0.dll\"", "Arg3=0x667e6fe240"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.372628", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x7fa6", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7ff31", "ReturnValue": "0x0", "Arguments": ["Arg0=0x70354", "Arg1=0xfffffffe", "Arg2=0xffffffffffffffff"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.416095", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x81f7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fea00:\"ntdll.dll\"", "Arg3=0x667e6fea20"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.424227", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x8270", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7dd8a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffffe", "Arg2=0x1ba2d6a0bf0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.426158", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x8287", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b901b81", "ReturnValue": "0x0", "Arguments": ["Arg0=0x80324", "Arg1=0xffffffeb", "Arg2=0x1ba2bd04690"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.427460", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x8295", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6fef58", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.428152", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x829c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6fef58", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.465968", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x83a5", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdf480:\"combase.dll\"", "Arg3=0x6f9afdf4b0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.467793", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "CreateThread", "EventUID": "0x83b9", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc289cac4", "ReturnValue": "0x198", "Arguments": ["Arg0=0x0", "Arg1=0x8000", "Arg2=0x7ffbc28e2ce0", "Arg3=0x1d0730882e0", "Arg4=0x0", "Arg5=0x6f9afdf500", "Arg6=0x1d073077d70", "Arg7=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.470603", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x83de", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6fef58", "Arg3=0x0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.474383", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x8403", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6fef58", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.475187", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x840b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6fef58", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.477097", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x8422", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6fef58", "Arg3=0x0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\user32.dll", "DllBase": "0x7ffbc31a0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"CreateWindowExA": 15376, "CreateWindowExW": 30496, "FindWindowA": 503872, "FindWindowW": 144880, "FindWindowExA": 12368, "FindWindowExW": 155376, "SendNotifyMessageA": 199568, "SendNotifyMessageW": 168848, "SetWindowLongA": 182352, "SetWindowLongW": 69392, "SetWindowLongPtrA": 182448, "SetWindowLongPtrW": 47040, "SetWindowsHookExA": 324864, "SetWindowsHookExW": 176832, "UnhookWindowsHookEx": 176672, "ExitWindowsEx": 180000, "GetSystemMetrics": 134848, "GetCursorPos": 163136, "GetAsyncKeyState": 147152, "SystemParametersInfoA": 166592, "SystemParametersInfoW": 144208, "GetLastInputInfo": 158240, "MsgWaitForMultipleObjectsEx": 132960}, "DllBase": "0x7ffbc31a0000", "DllName": "\\Windows\\System32\\user32.dll", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.545329", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateWindowExW", "EventUID": "0x8768", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b8f39ae", "ReturnValue": "0x80324", "Arguments": ["Arg0=0xc0110", "Arg1=0x7ff74b991048:\"ConsoleWindowClass\"", "Arg2=0x1ba2bd045d0:\"C:\\\\Users\\\\litter\\\\Desktop\\\\malware.exe\"", "Arg3=0xff0000", "Arg4=0x7ff780000000", "Arg5=0x7ffb00000000", "Arg6=0x3e1", "Arg7=0x207", "Arg8=0x0", "Arg9=0x0", "Arg10=0x0", "Arg11=0x1ba2bd04690"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-GB\\user32.dll.mui", "DllBase": "0x1ba2bf80000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.572178", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x888a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9b6fe5b0:\"kernel32\"", "Arg3=0x6f9b6fe5f8"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.572685", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x888e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9b6fe5b0:\"api-ms-win-core-string-l1-1-0\"", "Arg3=0x6f9b6fe5f8"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.573175", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x8892", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9b6fe5b0:\"api-ms-win-core-datetime-l1-1-1\"", "Arg3=0x6f9b6fe5f8"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.573677", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x8896", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9b6fe5b0:\"api-ms-win-core-localization-obsolete-l1-2-0\"", "Arg3=0x6f9b6fe5f8"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.584710", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x8930", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fea80:\"USER32\"", "Arg3=0x667e6feaa0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.585060", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x8935", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fe760:\"gdi32full.dll\"", "Arg3=0x6f9b6fe780"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x1d0734b0000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999137.591688", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x8982", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fdde0:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x6f9b6fde00"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999137.599613", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x89e1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fd280:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x6f9b6fd2a0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.599950", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x89e3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9", "Arg1=0x0", "Arg2=0x6f9b6fddd0:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x6f9b6fde18"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.600495", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x89e8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fe060:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x6f9b6fe080"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.665086", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x8d1b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fdcb0:\"gdi32.dll\"", "Arg3=0x6f9b6fdcd0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.678116", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x8daf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7e927", "ReturnValue": "0x1", "Arguments": ["Arg0=0x42", "Arg1=0x10", "Arg2=0x667e6ff180", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.687719", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x8e2f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7d429", "ReturnValue": "0x1", "Arguments": ["Arg0=0x42", "Arg1=0x10", "Arg2=0x667e6ff070", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.690995", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x8e5b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7d429", "ReturnValue": "0x1", "Arguments": ["Arg0=0x42", "Arg1=0x10", "Arg2=0x667e6ff120", "Arg3=0x0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.734863", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x909f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fde70:\"ntdll.dll\"", "Arg3=0x6f9b6fde90"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999137.787050", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x9352", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9", "Arg1=0x0", "Arg2=0x6f9b6fed90:\"C:\\\\Windows\\\\system32\\\\uxtheme.dll\"", "Arg3=0x6f9b6fedd8"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\Fonts\\StaticCache.dat", "DllBase": "0x1ba2e6e0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.870973", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x97ae", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7ff31", "ReturnValue": "0x0", "Arguments": ["Arg0=0xd0022", "Arg1=0xfffffffe", "Arg2=0xffffffffffffffff"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.878466", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "CreateWindowExW", "EventUID": "0x981d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc290fd57", "ReturnValue": "0xd0022", "Arguments": ["Arg0=0x0", "Arg1=0xc03c:\"\"", "Arg2=0x7ffbc2ad0348:\"OleMainThreadWndName\"", "Arg3=0x88000000", "Arg4=0x1480000000", "Arg5=0x7ffb80000000", "Arg6=0x80000000", "Arg7=0x80000000", "Arg8=0xfffffffffffffffd", "Arg9=0x0", "Arg10=0x7ffbc2840000", "Arg11=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.884004", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x9869", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc28f5585", "ReturnValue": "0x7ffbc290cab0", "Arguments": ["Arg0=0xd0022", "Arg1=0xfffffffc", "Arg2=0x7ffbc28c31f0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999137.913817", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "CreateThread", "EventUID": "0x9a00", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc28e7bdc", "ReturnValue": "0x1cc", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x7ffbc2927ec0", "Arg3=0x1d073077f20", "Arg4=0x1d000000000", "Arg5=0x6f9afdf4c0", "Arg6=0x6f9afdf4f0", "Arg7=0x6f9afdf4c0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.940128", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x9b64", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7dd8a", "ReturnValue": "0x1ba2d6a0bf0", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffffe", "Arg2=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.948190", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x9bd2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7dd8a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffffe", "Arg2=0x1ba2d6a0bb0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.949332", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x9be0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6ff598", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.950140", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x9be8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6ff598", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.952227", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x9bfc", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6ff598", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.994587", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x9ddf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6ff528", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.995379", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x9de7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6ff528", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999137.997364", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x9dfe", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6ff528", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.007843", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x9e8c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e6ffa60:\"uxtheme.dll\"", "Arg3=0x667e6ffaa8"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.037093", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x9fe6", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7dd8a", "ReturnValue": "0x1ba2d6a0bb0", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffffe", "Arg2=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.041915", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xa024", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7dd8a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffffe", "Arg2=0x1ba2d6a0bb0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WindowsShell.Manifest", "DllBase": "0x1ba2d5f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.079873", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xa1ac", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa03bbc", "ReturnValue": "0x1", "Arguments": ["Arg0=0x1022", "Arg1=0x0", "Arg2=0x7ffbbabce7d0", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.080385", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xa1b0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6feaf0:\"LPK\"", "Arg3=0x667e6feb10"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.080788", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xa1b3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6feaf0:\"GDI32\"", "Arg3=0x667e6feb10"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.081606", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xa1be", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e6ff4c0:\"comctl32\"", "Arg3=0x667e6ff508"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.084737", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xa1e3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7e927", "ReturnValue": "0x1", "Arguments": ["Arg0=0x42", "Arg1=0x10", "Arg2=0x667e6ff4e0", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.112118", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xa38f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6fefa8", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.112942", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xa397", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6fefa8", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.114508", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xa3ab", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6fefa8", "Arg3=0x0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999138.205042", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xa88f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbab43c094", "ReturnValue": "0x20", "Arguments": ["Arg0=0xb"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.205524", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xa892", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbab43c05b", "ReturnValue": "0x20", "Arguments": ["Arg0=0xb"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.205957", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xa895", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbab43c079", "ReturnValue": "0x20", "Arguments": ["Arg0=0xb"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.206418", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xa899", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbab43c035", "ReturnValue": "0x20", "Arguments": ["Arg0=0xc"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.206830", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xa89c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbab43c019", "ReturnValue": "0x20", "Arguments": ["Arg0=0xb"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.207299", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xa8a0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbab43c035", "ReturnValue": "0x20", "Arguments": ["Arg0=0xb"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.208543", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0xa8ad", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x2009", "Arg1=0x0", "Arg2=0x6f9b6fdc40:\"C:\\\\Windows\\\\System32\\\\thumbcache.dll\"", "Arg3=0x6f9b6fdc88"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999138.209940", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xa8b9", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fe210:\"combase.dll\"", "Arg3=0x6f9b6fe230"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388} +{"Plugin": "apimon", "TimeStamp": "1716999138.286417", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowsHookExW", "EventUID": "0xac6e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b8f30a1", "ReturnValue": "0x6a02b3", "Arguments": ["Arg0=0xffffffff", "Arg1=0x7ff74b973d10", "Arg2=0x0", "Arg3=0x126c"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.300031", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0xacfb", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x2009", "Arg1=0x0", "Arg2=0x6f9b6fc930:\"C:\\\\Windows\\\\system32\\\\propsys.dll\"", "Arg3=0x6f9b6fc978"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcss.dll", "DllBase": "0x1ba2f940000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.457286", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xb4dc", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe970:\"C:\\\\Windows\\\\system32\\\\rpcss.dll\"", "Arg3=0x667e6fe9a0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.518283", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0xb6dc", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc17df10d", "ReturnValue": "0x1", "Arguments": ["Arg0=0x200", "Arg1=0x390008", "Arg2=0x0", "Arg3=0x0", "Arg4=0x667e6fd968", "Arg5=0x6600000030", "Arg6=0x667e6fd948", "Arg7=0x0", "Arg8=0x0", "Arg9=0x7ffbc17d83a4"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.527109", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xb740", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7ff31", "ReturnValue": "0x0", "Arguments": ["Arg0=0x70322", "Arg1=0xfffffffe", "Arg2=0xffffffffffffffff"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.529108", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateWindowExW", "EventUID": "0xb758", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc290fd57", "ReturnValue": "0x70322", "Arguments": ["Arg0=0x0", "Arg1=0xc03c:\"\"", "Arg2=0x7ffbc2ad0348:\"OleMainThreadWndName\"", "Arg3=0x88000000", "Arg4=0x1480000000", "Arg5=0x7ffb80000000", "Arg6=0x80000000", "Arg7=0x80000000", "Arg8=0xfffffffffffffffd", "Arg9=0x0", "Arg10=0x7ffbc2840000", "Arg11=0x0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.545379", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xb82e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc34384ce", "ReturnValue": "0x0", "Arguments": ["Arg0=0x2000"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.558074", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xb8d9", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7ff31", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9030a", "Arg1=0xfffffffe", "Arg2=0xffffffffffffffff"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.560982", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateWindowExW", "EventUID": "0xb900", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc342b378", "ReturnValue": "0x9030a", "Arguments": ["Arg0=0x0", "Arg1=0x7ffbc34efa88:\"CicMarshalWndClass\"", "Arg2=0x7ffbc34efab0:\"CicMarshalWnd\"", "Arg3=0x88000000", "Arg4=0x7ffb00000000", "Arg5=0x0", "Arg6=0x6600000000", "Arg7=0x0", "Arg8=0xfffffffffffffffd", "Arg9=0x0", "Arg10=0x7ffbc3410000", "Arg11=0x0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.564701", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xb930", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e6fcb60:\"rpcrt4.dll\"", "Arg3=0x667e6fcba8"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.607739", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xbb63", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe0f0:\"ntdll.dll\"", "Arg3=0x667e6fe110"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ws2_32.dll", "DllBase": "0x7ffbc27c0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"WSAStartup": 60176, "getaddrinfo": 14096, "GetAddrInfoW": 23328, "gethostname": 157920, "gethostbyname": 157392, "socket": 22000, "connect": 72272, "send": 8992, "sendto": 71520, "recv": 73104, "recvfrom": 81312, "accept": 70496, "bind": 68032, "listen": 70304, "select": 71104, "setsockopt": 69792, "ioctlsocket": 20960, "closesocket": 20480, "shutdown": 72896, "WSAAccept": 70528, "WSAConnect": 196912, "WSAConnectByNameW": 199808, "WSAConnectByList": 197216, "WSARecv": 66816, "WSARecvFrom": 80976, "WSASend": 8032, "WSASendTo": 190384, "WSASendMsg": 21024, "WSASocketA": 81936, "WSASocketW": 22192}, "DllBase": "0x7ffbc27c0000", "DllName": "\\Windows\\System32\\ws2_32.dll", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.723605", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xc010", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe750:\"ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll\"", "Arg3=0x667e6fe770"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.731883", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xc026", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e6fe5d0:\"ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll\"", "Arg3=0x667e6fe618"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.732775", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xc02d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe4b0:\"ntdll.dll\"", "Arg3=0x667e6fe4d0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.746356", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xc0d4", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7ff31", "ReturnValue": "0x0", "Arguments": ["Arg0=0x900d8", "Arg1=0xfffffffe", "Arg2=0xfffffffffffffffe"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.748501", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateWindowExW", "EventUID": "0xc0ec", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbe72dfdf", "ReturnValue": "0x900d8", "Arguments": ["Arg0=0x0", "Arg1=0x7ffbbe78a158:\"UserAdapterWindowClass\"", "Arg2=0x0:\"\"", "Arg3=0x0", "Arg4=0x6600000000", "Arg5=0x1ba00000000", "Arg6=0x1ba00000000", "Arg7=0x1ba00000000", "Arg8=0xfffffffffffffffd", "Arg9=0x0", "Arg10=0x7ffbbe6f0000", "Arg11=0x0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.750263", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xc0fd", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbe72e218", "ReturnValue": "0x0", "Arguments": ["Arg0=0x900d8", "Arg1=0x0", "Arg2=0x1ba2bfd6790"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.752237", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xc111", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e6fe4d0:\"ext-ms-win-rtcore-ntuser-integration-l1-1-0.dll\"", "Arg3=0x667e6fe518"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.758230", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xc149", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e6fe340:\"api-ms-win-core-com-l1-1-0.dll\"", "Arg3=0x667e6fe388"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.774585", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xc216", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe5a0:\"ntdll.dll\"", "Arg3=0x667e6fe5c0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.796081", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xc320", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe9c0:\"iertutil.dll\"", "Arg3=0x667e6fe9e0"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.822076", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xc45a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fd660:\"USER32\"", "Arg3=0x667e6fd680"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.840112", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xc541", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7ff31", "ReturnValue": "0x0", "Arguments": ["Arg0=0xa0242", "Arg1=0xfffffffe", "Arg2=0xffffffffffffffff"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.842103", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xc559", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc34256b3", "ReturnValue": "0x0", "Arguments": ["Arg0=0xa0242", "Arg1=0x8", "Arg2=0x1ba2dcd5a40"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.843314", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateWindowExW", "EventUID": "0xc567", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc31a85ff", "ReturnValue": "0xa0242", "Arguments": ["Arg0=0x0", "Arg1=0x667e6fe434:\"MSCTFIME UI\"", "Arg2=0x667e6fe434:\"MSCTFIME UI\"", "Arg3=0x88000000", "Arg4=0x1ba00000000", "Arg5=0x100000000", "Arg6=0x312700000000", "Arg7=0x700000000", "Arg8=0x70354", "Arg9=0x0", "Arg10=0x0", "Arg11=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999138.848762", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xc5b1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe830:\"combase.dll\"", "Arg3=0x667e6fe850"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999138.982882", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xcb4a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x2009", "Arg1=0x0", "Arg2=0x667e6fd050:\"C:\\\\Windows\\\\System32\\\\msctf.dll\"", "Arg3=0x667e6fd098"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.036313", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xce2b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x2009", "Arg1=0x0", "Arg2=0x667e6fd050:\"C:\\\\Windows\\\\system32\\\\msctf.dll\"", "Arg3=0x667e6fd098"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.039323", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xce49", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9", "Arg1=0x0", "Arg2=0x667e6ff2d0:\"C:\\\\Windows\\\\System32\\\\MSCTF.dll\"", "Arg3=0x667e6ff318"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.259229", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xd909", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa14f6d", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x7ffbbabcd438", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.259935", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xd910", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa14f88", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x7ffbbabcd43c", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.260349", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xd913", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa14f99", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1000"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.261085", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xd91b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa14fbd", "ReturnValue": "0x1", "Arguments": ["Arg0=0x26", "Arg1=0x4", "Arg2=0x7ffbbabcd440", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.262023", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xd923", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa14fda", "ReturnValue": "0x1", "Arguments": ["Arg0=0x103e", "Arg1=0x0", "Arg2=0x7ffbbabcd44c", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.262773", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xd92b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa14ff7", "ReturnValue": "0x1", "Arguments": ["Arg0=0x1042", "Arg1=0x0", "Arg2=0x7ffbbabcd450", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.263550", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xd933", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa15012", "ReturnValue": "0x1", "Arguments": ["Arg0=0x1b", "Arg1=0x0", "Arg2=0x7ffbbabcd444", "Arg3=0x0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999139.265873", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xd93f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fee40:\"ntdll.dll\"", "Arg3=0x667e6fee60"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999139.328576", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xdc84", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa15452", "ReturnValue": "0x2", "Arguments": ["Arg0=0x2d"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.328985", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xdc86", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa1546d", "ReturnValue": "0x2", "Arguments": ["Arg0=0x2e"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.332370", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xdcaa", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fef60:\"ntdll.dll\"", "Arg3=0x667e6fef80"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\apppatch\\sysmain.sdb", "DllBase": "0x7df4f96c0000", "PID": 3888} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999139.365887", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xde55", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa12378", "ReturnValue": "0x14ff0000", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffff0", "Arg2=0x14df0000"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.381954", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xdf04", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa123b0", "ReturnValue": "0x14df0000", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffff0", "Arg2=0x14ff0000"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.413152", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xe02d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa123f4", "ReturnValue": "0x14ff0000", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffff0", "Arg2=0x14ff0000"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.484692", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xe3bc", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6ff478", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.488562", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xe3c3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6ff478", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.491383", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xe3e2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6ff478", "Arg3=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.511089", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xe4ec", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa12378", "ReturnValue": "0x14ef0000", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffff0", "Arg2=0x14ef0000"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999139.601240", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0xe93e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0x0", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.602416", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xe947", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e3bf2a0:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e3bf2e8"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999139.667555", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0xecd7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90bda8", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500033", "Arg2=0x0", "Arg3=0x0", "Arg4=0x0", "Arg5=0x7ff700000000", "Arg6=0x667e67ed10", "Arg7=0x0", "Arg8=0x0", "Arg9=0x7ff74b8f465c"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.669532", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0xece8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90bda8", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x50000b", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x0", "Arg5=0x0", "Arg6=0x667e67edd0", "Arg7=0x0", "Arg8=0x1ba2bd06650", "Arg9=0x7ff74b903d99"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.693922", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0xee20", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564} +{"Plugin": "apimon", "TimeStamp": "1716999139.733409", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0xf021", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.971323", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xfc4d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]} +{"Plugin": "apimon", "TimeStamp": "1716999139.973582", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0xfc69", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]} +{"Plugin": "apimon", "TimeStamp": "1716999140.110701", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x1031e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x0", "Arg3=0x0", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999140.430995", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x114ec", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]} +{"Plugin": "apimon", "TimeStamp": "1716999140.433106", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x11508", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"LdrLoadDll": 92688, "RtlCreateUserProcess": 924032, "DbgUiWaitStateChange": 838720, "RtlCreateUserThread": 352400, "LdrGetDllHandle": 92272, "LdrGetProcedureAddress": 531408, "RtlDecompressBuffer": 1005776, "RtlCompressBuffer": 534688}, "DllBase": "0x7ffbc3930000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntdll.dll", "DllBase": "0x7ffbc3930000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999140.678185", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x122cf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bec00:\"ntdll.dll\"", "Arg3=0x12bec20"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"LdrLoadDll": 92688, "RtlCreateUserProcess": 924032, "DbgUiWaitStateChange": 838720, "RtlCreateUserThread": 352400, "LdrGetDllHandle": 92272, "LdrGetProcedureAddress": 531408, "RtlDecompressBuffer": 1005776, "RtlCompressBuffer": 534688}, "DllBase": "0x7ffbc3930000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 5228} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntdll.dll", "DllBase": "0x7ffbc3930000", "PID": 5228} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\apphelp.dll", "DllBase": "0x7ffbbe940000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\apphelp.dll", "DllBase": "0x7ffbbe940000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\apphelp.dll", "DllBase": "0x7ffbbe940000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999140.822266", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x12ac9", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12be9f0:\"ntdll.dll\"", "Arg3=0x12bea38"]} +{"Plugin": "apimon", "TimeStamp": "1716999140.824198", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x12ae0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bec20:\"api-ms-win-eventing-provider-l1-1-0.dll\"", "Arg3=0x12bec50"]} +{"Plugin": "apimon", "TimeStamp": "1716999140.829119", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x12b1c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bec90:\"ntdll.dll\"", "Arg3=0x12becb0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\apppatch\\sysmain.sdb", "DllBase": "0x7ff4fdaa0000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999140.961902", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x132f2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]} +{"Plugin": "apimon", "TimeStamp": "1716999140.963329", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x13306", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]} +{"Plugin": "apimon", "TimeStamp": "1716999140.969008", "PID": 5228, "PPID": 772, "TID": 1756, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1335f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fad7f220:\"oleaut32.dll\"", "Arg3=0x86fad7f240"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\Desktop\\malware.exe", "DllBase": "0x400000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\advapi32.dll", "DllBase": "0x7ffbc36c0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"CryptAcquireContextA": 94000, "CryptAcquireContextW": 94320, "RegOpenKeyExA": 93568, "RegOpenKeyExW": 90080, "RegCreateKeyExA": 96544, "RegCreateKeyExW": 93184, "RegDeleteKeyA": 16528, "RegDeleteKeyW": 93216, "RegEnumKeyW": 91296, "RegEnumKeyExA": 16624, "RegEnumKeyExW": 88560, "RegEnumValueA": 202176, "RegEnumValueW": 91968, "RegSetValueExA": 16704, "RegSetValueExW": 94080, "RegQueryValueExA": 93872, "RegQueryValueExW": 90048, "RegDeleteValueA": 17456, "RegDeleteValueW": 104080, "RegQueryInfoKeyA": 17056, "RegQueryInfoKeyW": 90624, "RegCloseKey": 92048, "RegNotifyChangeKeyValue": 96864, "CreateProcessWithLogonW": 304352, "CreateProcessWithTokenW": 17488, "InitiateShutdownW": 104112, "InitiateSystemShutdownW": 281520, "InitiateSystemShutdownExW": 290480, "LookupPrivilegeValueW": 63856, "GetCurrentHwProfileW": 94368, "GetUserNameA": 304480, "GetUserNameW": 91376, "LsaOpenPolicy": 113712, "SaferIdentifyLevel": 46944, "OpenSCManagerA": 97648, "OpenSCManagerW": 96448, "CreateServiceA": 197216, "CreateServiceW": 197360, "OpenServiceA": 201664, "OpenServiceW": 96992, "StartServiceA": 203056, "StartServiceW": 119584, "ControlService": 196960, "DeleteService": 199648, "CryptDecrypt": 198880, "CryptEncrypt": 199008, "CryptHashData": 93120, "CryptDecryptMessage": 198880, "CryptEncryptMessage": 199008, "CryptExportKey": 91904, "CryptGenKey": 199168, "CryptCreateHash": 92080, "CryptEnumProvidersA": 199104, "CryptEnumProvidersW": 199136}, "DllBase": "0x7ffbc36c0000", "DllName": "\\Windows\\System32\\advapi32.dll", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcrt.dll", "DllBase": "0x7ffbc2c30000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"system": 97872}, "DllBase": "0x7ffbc2c30000", "DllName": "\\Windows\\System32\\msvcrt.dll", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\crypt32.dll", "DllBase": "0x7ffbc1360000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"CryptDecodeObjectEx": 136000, "CryptImportPublicKeyInfo": 23040}, "DllBase": "0x7ffbc1360000", "DllName": "\\Windows\\System32\\crypt32.dll", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\psapi.dll", "DllBase": "0x7ffbc3890000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\psapi.dll", "DllBase": "0x7ffbc3890000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\user32.dll", "DllBase": "0x7ffbc31a0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.084533", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x13930", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f360:\"ntdll.dll\"", "Arg3=0x86fa68f380"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.095996", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x139a8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f940:\"mscoree.dll\"", "Arg3=0x86fa68f970"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\IPHLPAPI.DLL", "DllBase": "0x7ffbc03e0000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.097339", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x139b3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f530:\"ntdll.dll\"", "Arg3=0x86fa68f550"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\IPHLPAPI.DLL", "DllBase": "0x7ffbc03e0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\IPHLPAPI.DLL", "DllBase": "0x7ffbc03e0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\psapi.dll", "DllBase": "0x7ffbc3890000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\IPHLPAPI.DLL", "DllBase": "0x7ffbc03e0000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.101339", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x139df", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f520:\"ntdll.dll\"", "Arg3=0x86fa68f540"]} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"CreateWindowExA": 15376, "CreateWindowExW": 30496, "FindWindowA": 503872, "FindWindowW": 144880, "FindWindowExA": 12368, "FindWindowExW": 155376, "SendNotifyMessageA": 199568, "SendNotifyMessageW": 168848, "SetWindowLongA": 182352, "SetWindowLongW": 69392, "SetWindowLongPtrA": 182448, "SetWindowLongPtrW": 47040, "SetWindowsHookExA": 324864, "SetWindowsHookExW": 176832, "UnhookWindowsHookEx": 176672, "ExitWindowsEx": 180000, "GetSystemMetrics": 134848, "GetCursorPos": 163136, "GetAsyncKeyState": 147152, "SystemParametersInfoA": 166592, "SystemParametersInfoW": 144208, "GetLastInputInfo": 158240, "MsgWaitForMultipleObjectsEx": 132960}, "DllBase": "0x7ffbc31a0000", "DllName": "\\Windows\\System32\\user32.dll", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.106009", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x13a06", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f570:\"ntdll.dll\"", "Arg3=0x86fa68f590"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.112468", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x13a3c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f550:\"ntdll.dll\"", "Arg3=0x86fa68f570"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.113732", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x13a48", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f590:\"ntdll.dll\"", "Arg3=0x86fa68f5b0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.115849", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x13a5d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f530:\"ntdll.dll\"", "Arg3=0x86fa68f550"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ws2_32.dll", "DllBase": "0x7ffbc27c0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"WSAStartup": 60176, "getaddrinfo": 14096, "GetAddrInfoW": 23328, "gethostname": 157920, "gethostbyname": 157392, "socket": 22000, "connect": 72272, "send": 8992, "sendto": 71520, "recv": 73104, "recvfrom": 81312, "accept": 70496, "bind": 68032, "listen": 70304, "select": 71104, "setsockopt": 69792, "ioctlsocket": 20960, "closesocket": 20480, "shutdown": 72896, "WSAAccept": 70528, "WSAConnect": 196912, "WSAConnectByNameW": 199808, "WSAConnectByList": 197216, "WSARecv": 66816, "WSARecvFrom": 80976, "WSASend": 8032, "WSASendTo": 190384, "WSASendMsg": 21024, "WSASocketA": 81936, "WSASocketW": 22192}, "DllBase": "0x7ffbc27c0000", "DllName": "\\Windows\\System32\\ws2_32.dll", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\userenv.dll", "DllBase": "0x7ffbc0ec0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\userenv.dll", "DllBase": "0x7ffbc0ec0000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.213958", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x13f83", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f530:\"ntdll.dll\"", "Arg3=0x86fa68f550"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.228126", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1403d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f580:\"ntdll.dll\"", "Arg3=0x86fa68f5a0"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.230280", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x14058", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f530:\"ntdll.dll\"", "Arg3=0x86fa68f550"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.232173", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x14071", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f530:\"ntdll.dll\"", "Arg3=0x86fa68f550"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.241203", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x140ea", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f530:\"ntdll.dll\"", "Arg3=0x86fa68f550"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.248274", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1414f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f540:\"ntdll.dll\"", "Arg3=0x86fa68f560"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.251119", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x14177", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f570:\"ntdll.dll\"", "Arg3=0x86fa68f590"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\userenv.dll", "DllBase": "0x7ffbc0ec0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\Desktop\\malware.exe", "DllBase": "0x400000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\userenv.dll", "DllBase": "0x7ffbc0ec0000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.303682", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x14432", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf1b0:\"api-ms-win-core-synch-l1-2-0\"", "Arg3=0x12bf1f8"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.356163", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x145af", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf1b0:\"api-ms-win-core-fibers-l1-1-1\"", "Arg3=0x12bf1f8"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.359149", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x145ca", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf200:\"api-ms-win-core-fibers-l1-1-1\"", "Arg3=0x12bf248"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.360291", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x145da", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf200:\"api-ms-win-core-synch-l1-2-0\"", "Arg3=0x12bf248"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.363632", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x1460d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12be630:\"api-ms-win-core-localization-l1-2-1\"", "Arg3=0x12be678"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.368002", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x14651", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf120:\"kernel32\"", "Arg3=0x12bf168"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.369879", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x1466e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf120:\"api-ms-win-core-string-l1-1-0\"", "Arg3=0x12bf168"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.373056", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x146a1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf120:\"api-ms-win-core-datetime-l1-1-1\"", "Arg3=0x12bf168"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.380641", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x1471e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf120:\"api-ms-win-core-localization-obsolete-l1-2-0\"", "Arg3=0x12bf168"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.385032", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x14764", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bf2d0:\"gdi32full.dll\"", "Arg3=0x12bf2f0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x180000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.421212", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1496f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12be950:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x12be970"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.428343", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x149bf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bddf0:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x12bde10"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.495052", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x14db1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.496679", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x14dc5", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.596598", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x153d2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9", "Arg1=0x0", "Arg2=0x12be940:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x12be988"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.597099", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x153d6", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bebd0:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x12bebf0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.613009", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x154d2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12be820:\"gdi32.dll\"", "Arg3=0x12be840"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db", "DllBase": "0xe590000", "PID": 3888} +{"Plugin": "apimon", "TimeStamp": "1716999141.658378", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x15751", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12be9e0:\"ntdll.dll\"", "Arg3=0x12bea00"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.684948", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x158bd", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x12bfa30:\"kernel32.dll\"", "Arg3=0x12bfa78"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.686136", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x158c2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf9f0:\"advapi32.dll\"", "Arg3=0x12bfa38"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\cryptbase.dll", "DllBase": "0x7ffbc08e0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\cryptbase.dll", "DllBase": "0x7ffbc08e0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\cryptbase.dll", "DllBase": "0x7ffbc08e0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\cryptbase.dll", "DllBase": "0x7ffbc08e0000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.702845", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x159aa", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf9f0:\"ntdll.dll\"", "Arg3=0x12bfa38"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\winmm.dll", "DllBase": "0x7ffbae1c0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"timeGetTime": 12688}, "DllBase": "0x7ffbae1c0000", "DllName": "\\Windows\\System32\\winmm.dll", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.710688", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x15a15", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf9f0:\"winmm.dll\"", "Arg3=0x12bfa38"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.711124", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x15a18", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf9f0:\"ws2_32.dll\"", "Arg3=0x12bfa38"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db", "DllBase": "0x3130000", "PID": 3888} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\cryptbase.dll", "DllBase": "0x7ffbc08e0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\cryptbase.dll", "DllBase": "0x7ffbc08e0000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999141.777834", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x15d35", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.802227", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x15e7c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.810547", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x15ee7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.848461", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x160db", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bfca0:\"kernel32.dll\"", "Arg3=0x12bfce8"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.854424", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x16125", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bfca0:\"ws2_32.dll\"", "Arg3=0x12bfce8"]} +{"Plugin": "apimon", "TimeStamp": "1716999141.949151", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x16132", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db", "DllBase": "0x2920000", "PID": 3888} +{"Plugin": "apimon", "TimeStamp": "1716999142.029092", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x16569", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]} +{"Plugin": "apimon", "TimeStamp": "1716999142.030748", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x1657e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]} +{"Plugin": "apimon", "TimeStamp": "1716999142.073312", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "WSAStartup", "EventUID": "0x167cf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x45be1e", "ReturnValue": "0x0", "Arguments": ["Arg0=0x202", "Arg1=0xc00002fcc8"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\mswsock.dll", "DllBase": "0x40b0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-US\\mswsock.dll.mui", "DllBase": "0x13f0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\mswsock.dll", "DllBase": "0x40b0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-US\\mswsock.dll.mui", "DllBase": "0x13f0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\wshqos.dll", "DllBase": "0x13f0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-US\\wshqos.dll.mui", "DllBase": "0x1400000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\wshqos.dll", "DllBase": "0x13f0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-US\\wshqos.dll.mui", "DllBase": "0x1400000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999142.173880", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x16d41", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999142.196793", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x16e69", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999142.212138", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x16f2e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999142.218237", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x16f7c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x12bfca0:\"kernel32.dll\"", "Arg3=0x12bfce8"]} +{"Plugin": "apimon", "TimeStamp": "1716999142.229418", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x17006", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bfca0:\"kernel32.dll\"", "Arg3=0x12bfce8"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db", "DllBase": "0xea00000", "PID": 3888} +{"Plugin": "apimon", "TimeStamp": "1716999142.547197", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x17f94", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]} +{"Plugin": "apimon", "TimeStamp": "1716999142.548712", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x17fa8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]} +{"Plugin": "apimon", "TimeStamp": "1716999142.947540", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x18ca1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bfb50:\"ntdll.dll\"", "Arg3=0x12bfb70"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\tzres.dll", "DllBase": "0x4610000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-GB\\tzres.dll.mui", "DllBase": "0x4620000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\tzres.dll", "DllBase": "0x4610000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-GB\\tzres.dll.mui", "DllBase": "0x4620000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999143.020900", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x19035", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\mswsock.dll", "DllBase": "0x7ffbc06f0000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999143.092685", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x1940e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.098779", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x19427", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"TransmitFile": 164976, "NSPStartup": 49312}, "DllBase": "0x7ffbc06f0000", "DllName": "\\Windows\\System32\\mswsock.dll", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999143.129325", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x195c1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x12bf1a0:\"C:\\\\Windows\\\\system32\\\\mswsock.dll\"", "Arg3=0x12bf1e8"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.142800", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "WSASocketW", "EventUID": "0x1965d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27c565e", "ReturnValue": "0x1ac", "Arguments": ["Arg0=0x2", "Arg1=0x2", "Arg2=0x0", "Arg3=0x0", "Arg4=0x0", "Arg5=0x1"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.143041", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "socket", "EventUID": "0x1965f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27c2d42", "ReturnValue": "0x1ac", "Arguments": ["Arg0=0x2", "Arg1=0x2", "Arg2=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.143623", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "closesocket", "EventUID": "0x19666", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27c2d5a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1ac"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.144430", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x19670", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x12bf1a0:\"C:\\\\Windows\\\\system32\\\\mswsock.dll\"", "Arg3=0x12bf1e8"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ClipSVC.dll", "DllBase": "0x7ffbb84e0000", "PID": 1552} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ClipSVC.dll", "DllBase": "0x7ffbb84e0000", "PID": 1552} +{"Plugin": "apimon", "TimeStamp": "1716999143.167972", "PID": 4852, "PPID": 3888, "TID": 5312, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x1979c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x460fd70:\"advapi32.dll\"", "Arg3=0x460fdb8"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.169796", "PID": 4852, "PPID": 3888, "TID": 5312, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "RegOpenKeyExW", "EventUID": "0x197b4", "Event": "api_called", "CLSID": null, "CalledFrom": "0x45be1e", "ReturnValue": "0x2", "Arguments": ["Arg0=0x80000001", "Arg1=0xc000110000:\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\"", "Arg2=0x0", "Arg3=0x20006", "Arg4=0xc0000c1e38"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.170605", "PID": 4852, "PPID": 3888, "TID": 5312, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "RegOpenKeyExW", "EventUID": "0x197bf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x45be1e", "ReturnValue": "0x2", "Arguments": ["Arg0=0x80000001", "Arg1=0xc000110080:\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\"", "Arg2=0x0", "Arg3=0x20006", "Arg4=0xc0000c1e38"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.171411", "PID": 4852, "PPID": 3888, "TID": 5312, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "RegOpenKeyExW", "EventUID": "0x197c9", "Event": "api_called", "CLSID": null, "CalledFrom": "0x45be1e", "ReturnValue": "0x2", "Arguments": ["Arg0=0x80000001", "Arg1=0xc000110100:\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\"", "Arg2=0x0", "Arg3=0x20006", "Arg4=0xc0000c1e38"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.207557", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "WSASocketW", "EventUID": "0x199be", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27c565e", "ReturnValue": "0x1ac", "Arguments": ["Arg0=0x17", "Arg1=0x2", "Arg2=0x0", "Arg3=0x0", "Arg4=0x0", "Arg5=0x1"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.207664", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "socket", "EventUID": "0x199bf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27c2d69", "ReturnValue": "0x1ac", "Arguments": ["Arg0=0x17", "Arg1=0x2", "Arg2=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.208344", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "closesocket", "EventUID": "0x199c7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27c2d81", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1ac"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.209404", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x199d4", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x12be990:\"C:\\\\Windows\\\\System32\\\\mswsock.dll\"", "Arg3=0x12be9d8"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dnsapi.dll", "DllBase": "0x7ffbc0420000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"DnsQuery_A": 346992, "DnsQuery_UTF8": 153328, "DnsQuery_W": 33872}, "DllBase": "0x7ffbc0420000", "DllName": "\\Windows\\System32\\dnsapi.dll", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\nsi.dll", "DllBase": "0x7ffbc2830000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\nsi.dll", "DllBase": "0x7ffbc2830000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\nsi.dll", "DllBase": "0x7ffbc2830000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\IPHLPAPI.DLL", "DllBase": "0x7ffbc03e0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\IPHLPAPI.DLL", "DllBase": "0x7ffbc03e0000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntdll.dll", "DllBase": "0x7ffbc3930000", "PID": 1552} +{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"LdrLoadDll": 92688, "RtlCreateUserProcess": 924032, "DbgUiWaitStateChange": 838720, "RtlCreateUserThread": 352400, "LdrGetDllHandle": 92272, "LdrGetProcedureAddress": 531408, "RtlDecompressBuffer": 1005776, "RtlCompressBuffer": 534688}, "DllBase": "0x7ffbc3930000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 1552} +{"Plugin": "apimon", "TimeStamp": "1716999143.277753", "PID": 1552, "PPID": 636, "TID": 3028, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x19c92", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x9048b7f560:\"oleaut32.dll\"", "Arg3=0x9048b7f580"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.298086", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "NSPStartup", "EventUID": "0x19d4f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27d0119", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1435980", "Arg1=0x1439b10"]} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rasadhlp.dll", "DllBase": "0x7ffbb9030000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rasadhlp.dll", "DllBase": "0x7ffbb9030000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rasadhlp.dll", "DllBase": "0x7ffbb9030000", "PID": 4852} +{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rasadhlp.dll", "DllBase": "0x7ffbb9030000", "PID": 4852} +{"Plugin": "apimon", "TimeStamp": "1716999143.310556", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x19dd9", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x12bee00:\"C:\\\\Windows\\\\System32\\\\rasadhlp.dll\"", "Arg3=0x12bee48"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.336045", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x19f0e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.387727", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x1a190", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.415438", "PID": 4852, "PPID": 3888, "TID": 3788, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x1a2f1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x3ead930:\"rpcrt4.dll\"", "Arg3=0x3ead978"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.459916", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x1a535", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.613919", "PID": 4852, "PPID": 3888, "TID": 3788, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "GetAddrInfoW", "EventUID": "0x1ad0d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x45be1e", "ReturnValue": "0x2af9", "Arguments": ["Arg0=0xc00000e500", "Arg1=0x0", "Arg2=0xc000101f30", "Arg3=0xc000101ea0"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.617584", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x1ad34", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.626741", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x1ad50", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]} +{"Plugin": "apimon", "TimeStamp": "1716999143.687911", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "GetAddrInfoW", "EventUID": "0x1b059", "Event": "api_called", "CLSID": null, "CalledFrom": "0x45be1e", "ReturnValue": "0x2af9", "Arguments": ["Arg0=0xc00000c330", "Arg1=0x0", "Arg2=0xc0000c5f30", "Arg3=0xc0000c5ea0"]} +{"Plugin": "apimon", "TimeStamp": "1716999144.118963", "PID": 1552, "PPID": 636, "TID": 1556, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1c169", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x9048a7eae0:\"ntdll.dll\"", "Arg3=0x9048a7eb00"]} +{"Plugin": "apimon", "TimeStamp": "1716999144.155373", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x1c173", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]} +{"Plugin": "apimon", "TimeStamp": "1716999144.160033", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x1c189", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]} +{"Plugin": "apimon", "TimeStamp": "1716999144.199018", "PID": 1552, "PPID": 636, "TID": 1556, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1c2c6", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x9048a7eaa0:\"ntdll.dll\"", "Arg3=0x9048a7eac0"]} +{"Plugin": "apimon", "TimeStamp": "1716999144.203658", "PID": 1552, "PPID": 636, "TID": 1556, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1c2de", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x9048a7eb20:\"ntdll.dll\"", "Arg3=0x9048a7eb40"]} +{"Plugin": "syscall", "TimeStamp": "1716999134.579643", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCDword", "EventUID": "0x16", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 63, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.580389", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x17", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionInformation": "0xfffff506a0284040", "Count": "0x1", "NumEntriesRemoved": "0xfffff506a0284070", "Timeout": "0xfffff506a0284078", "Alertable": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.580630", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAssociateWaitCompletionPacket", "EventUID": "0x19", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 144, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.581122", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x1c", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.581251", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x1d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionReserveHandle": "0xffffffff8000188c", "KeyContext": "0x0", "ApcContext": "0x2", "IoStatus": "0x0", "IoStatusInformation": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.581449", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x1f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionInformation": "0xfffff506a0284898", "Count": "0x1", "NumEntriesRemoved": "0xfffff506a02846bc", "Timeout": "0xfffff506a02846d8", "Alertable": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.581640", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x21", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionInformation": "0xfffff506a0284898", "Count": "0x1", "NumEntriesRemoved": "0xfffff506a02846bc", "Timeout": "0xfffff506a02846d8", "Alertable": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.582021", "PID": 3888, "PPID": 2852, "TID": 1364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x23", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x43c", "Flags": "0x20000", "SendMessage": "0xb54c250", "SendMessageAttributes": "0x23eff58", "ReceiveMessage": "0xb54c250", "BufferLength": "0x272ef18", "ReceiveMessageAttributes": "0x23eff58", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.582359", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAssociateWaitCompletionPacket", "EventUID": "0x25", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 144, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.582553", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x27", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionReserveHandle": "0xffffffff8000188c", "KeyContext": "0x0", "ApcContext": "0x2", "IoStatus": "0x7ffb00000000", "IoStatusInformation": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.582849", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x29", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 137, "NArgs": 5, "PortHandle": "0x104", "PortInformationClass": "0x0", "PortInformation": "0x435237f548", "Length": "0x10", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.583003", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x2a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionInformation": "0xfffff506a0284898", "Count": "0x1", "NumEntriesRemoved": "0xfffff506a02846bc", "Timeout": "0xfffff506a02846d8", "Alertable": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.583430", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserValidateTimerCallback", "EventUID": "0x2e", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.583473", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x2f", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x104", "Flags": "0x0", "SendMessage": "0x0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x16a346d0a70", "BufferLength": "0x435237f538", "ReceiveMessageAttributes": "0x435237f558", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.583759", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserKillTimer", "EventUID": "0x32", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 27, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.583795", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x33", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0x435237f458", "WorkerFactoryInformationLength": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.584230", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSetTimer", "EventUID": "0x36", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.584274", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x37", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x16a34b70dc8", "ThreadInformationLength": "0x8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.584728", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x3a", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.584770", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x3b", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x435237f270", "ThreadInformationLength": "0x8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.584877", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x3d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionReserveHandle": "0xffffffff8000188c", "KeyContext": "0x0", "ApcContext": "0x2", "IoStatus": "0xffff806700000000", "IoStatusInformation": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.585047", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x3f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionInformation": "0xfffff506a0284898", "Count": "0x1", "NumEntriesRemoved": "0xfffff506a02846bc", "Timeout": "0xfffff506a02846d8", "Alertable": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.585133", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x40", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0x435237f65c", "WorkerFactoryInformationLength": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.585286", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x43", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionReserveHandle": "0xffffffff8000188c", "KeyContext": "0x0", "ApcContext": "0x2", "IoStatus": "0x0", "IoStatusInformation": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.585458", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x45", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionInformation": "0xfffff506a0284898", "Count": "0x1", "NumEntriesRemoved": "0xfffff506a02846bc", "Timeout": "0xfffff506a02846d8", "Alertable": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.585539", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0x46", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 468, "NArgs": 2, "WorkerFactoryHandle": "0x1c", "MiniPacket": "0x16a351ae930"} +{"Plugin": "syscall", "TimeStamp": "1716999134.585990", "PID": 3888, "PPID": 2852, "TID": 1364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetTimerEx", "EventUID": "0x4a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 432, "NArgs": 4, "TimerHandle": "0x460", "TimerSetInformationClass": "0x0", "TimerSetInformation": "0x272f7b0", "TimerSetInformationLength": "0x30"} +{"Plugin": "syscall", "TimeStamp": "1716999134.586162", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUpdateWnfStateData", "EventUID": "0x4c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 463, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.586314", "PID": 3888, "PPID": 2852, "TID": 1364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForMultipleObjects", "EventUID": "0x4e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 91, "NArgs": 5, "Count": "0x1", "Handles[]": "0x272f850", "WaitType": "0x1", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.586454", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x4f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac568", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\.lnk\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.586732", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x50", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.587050", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserMsgWaitForMultipleObjectsEx", "EventUID": "0x53", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1158, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.587134", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x54", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x263a", "ValueName": "0x27accf8", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27acbb0", "Length": "0x5a", "ResultLength": "0x27acb64"} +{"Plugin": "syscall", "TimeStamp": "1716999134.587457", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x57", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 137, "NArgs": 5, "PortHandle": "0x1b4", "PortInformationClass": "0x0", "PortInformation": "0xc6f217f828", "Length": "0x10", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.587653", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x59", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x1b4", "Flags": "0x0", "SendMessage": "0x0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x20ea2805370", "BufferLength": "0xc6f217f818", "ReceiveMessageAttributes": "0xc6f217f838", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.587730", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x263a"} +{"Plugin": "syscall", "TimeStamp": "1716999134.587842", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x5c", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0xc6f217f738", "WorkerFactoryInformationLength": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.588060", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x5f", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x20e9f5dbd88", "ThreadInformationLength": "0x8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.588148", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x60", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b2"} +{"Plugin": "syscall", "TimeStamp": "1716999134.588281", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtDuplicateObject", "EventUID": "0x63", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 60, "NArgs": 7, "SourceProcessHandle": "0xffffffffffffffff", "SourceHandle": "0x558", "TargetProcessHandle": "0xffffffffffffffff", "TargetHandle": "0xc6f217df00", "DesiredAccess": "0x0", "HandleAttributes": "0x0", "Options": "0x2"} +{"Plugin": "syscall", "TimeStamp": "1716999134.588451", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtDuplicateObject", "EventUID": "0x65", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 60, "NArgs": 7, "SourceProcessHandle": "0xffffffffffffffff", "SourceHandle": "0x718", "TargetProcessHandle": "0xffffffffffffffff", "TargetHandle": "0xc6f217ddc0", "DesiredAccess": "0x0", "HandleAttributes": "0x0", "Options": "0x2"} +{"Plugin": "syscall", "TimeStamp": "1716999134.588526", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x66", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2572"} +{"Plugin": "syscall", "TimeStamp": "1716999134.588671", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtClose", "EventUID": "0x69", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 15, "NArgs": 1, "Handle": "0x718"} +{"Plugin": "syscall", "TimeStamp": "1716999134.588841", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x6b", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0xc6f217f550", "ThreadInformationLength": "0x8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.588915", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x6c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x27acb00", "Length": "0x180", "ResultLength": "0x27acaec"} +{"Plugin": "syscall", "TimeStamp": "1716999134.589029", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x6e", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x1b4", "Flags": "0x410000", "SendMessage": "0x20ea280b970", "SendMessageAttributes": "0xc6f217f530", "ReceiveMessage": "0x0", "BufferLength": "0x0", "ReceiveMessageAttributes": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.589386", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcQueryInformationMessage", "EventUID": "0x71", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 138, "NArgs": 6, "PortHandle": "0x554", "PortMessage": "0xb54e470", "MessageInformationClass": "0x3", "MessageInformation": "0x31ebb98", "Length": "0x14", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.589445", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x72", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac730", "Length": "0x4", "ResultLength": "0x27ac768"} +{"Plugin": "syscall", "TimeStamp": "1716999134.589762", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x75", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x554", "Flags": "0x0", "SendMessage": "0xb54e470", "SendMessageAttributes": "0x31ebbb0", "ReceiveMessage": "0x0", "BufferLength": "0x0", "ReceiveMessageAttributes": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.589809", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x76", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac6a8", "Length": "0x4", "ResultLength": "0x27ac6b8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.590114", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x79", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac738", "DesiredAccess": "0x20019", "ObjectAttributes": "\\CLSID\\{00021401-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.590354", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x7a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x554", "Flags": "0x20000", "SendMessage": "0xb54e470", "SendMessageAttributes": "0xb500ec8", "ReceiveMessage": "0xb54e470", "BufferLength": "0x31eb698", "ReceiveMessageAttributes": "0xb500ec8", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.590599", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac748", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{00021401-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.590678", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtClose", "EventUID": "0x7e", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 15, "NArgs": 1, "Handle": "0x51c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.590895", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x81", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0xc6f217f99c", "WorkerFactoryInformationLength": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.591039", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x83", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x3", "KeyInformation": "0x27acc70", "Length": "0x188", "ResultLength": "0x27acc4c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.591078", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0x84", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 468, "NArgs": 2, "WorkerFactoryHandle": "0x1c", "MiniPacket": "0x20ea1e40e80"} +{"Plugin": "syscall", "TimeStamp": "1716999134.591236", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x86", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 137, "NArgs": 5, "PortHandle": "0x1b4", "PortInformationClass": "0x0", "PortInformation": "0xc6f217f888", "Length": "0x10", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.591405", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x89", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x1b4", "Flags": "0x0", "SendMessage": "0x0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x20ea280b970", "BufferLength": "0xc6f217f878", "ReceiveMessageAttributes": "0xc6f217f898", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.591563", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x8b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac890", "Length": "0x4", "ResultLength": "0x27ac8c8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.591601", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x8c", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0xc6f217f798", "WorkerFactoryInformationLength": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.591771", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x8f", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x20e9f5dbd88", "ThreadInformationLength": "0x8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.591914", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x91", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ac780", "TokenInformationLength": "0x58", "ReturnLength": "0x27ac778"} +{"Plugin": "syscall", "TimeStamp": "1716999134.591954", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x92", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0xc6f217f5b0", "ThreadInformationLength": "0x8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.592128", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x95", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0xc6f217f99c", "WorkerFactoryInformationLength": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.592281", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x97", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac898", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\CLSID\\{00021401-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.592329", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x98", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x1b4", "Flags": "0x450000", "SendMessage": "0x20ea25346f0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x0", "BufferLength": "0x0", "ReceiveMessageAttributes": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.592670", "PID": 3888, "PPID": 2852, "TID": 7160, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x9b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x364", "Alertable": "0x0", "Timeout": "0x9cbd628"} +{"Plugin": "syscall", "TimeStamp": "1716999134.592780", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x9c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2572", "ValueName": "DisableProcessIsolation", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27acee0", "Length": "0x10", "ResultLength": "0x27ace94"} +{"Plugin": "syscall", "TimeStamp": "1716999134.593114", "PID": 3888, "PPID": 2852, "TID": 7160, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x9f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x554", "Flags": "0x20000", "SendMessage": "0xb54a030", "SendMessageAttributes": "0xb502d28", "ReceiveMessage": "0xb54a030", "BufferLength": "0x9cbdcb8", "ReceiveMessageAttributes": "0xb502d28", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.593289", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xa1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x3", "KeyInformation": "0x27acc70", "Length": "0x188", "ResultLength": "0x27acc4c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.593383", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0xa2", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 137, "NArgs": 5, "PortHandle": "0x1b4", "PortInformationClass": "0x0", "PortInformation": "0xc6f217f828", "Length": "0x10", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.593615", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0xa5", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x1b4", "Flags": "0x0", "SendMessage": "0x0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x20ea2805370", "BufferLength": "0xc6f217f818", "ReceiveMessageAttributes": "0xc6f217f838", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.593767", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0xa7", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0xc6f217f738", "WorkerFactoryInformationLength": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.593853", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xa8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac890", "Length": "0x4", "ResultLength": "0x27ac8c8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.593999", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0xab", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x20e9f5dbd88", "ThreadInformationLength": "0x8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.594210", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtClose", "EventUID": "0xad", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 15, "NArgs": 1, "Handle": "0x558"} +{"Plugin": "syscall", "TimeStamp": "1716999134.594290", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0xae", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ac780", "TokenInformationLength": "0x58", "ReturnLength": "0x27ac778"} +{"Plugin": "syscall", "TimeStamp": "1716999134.594458", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0xb1", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0xc6f217f550", "ThreadInformationLength": "0x8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.594643", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0xb3", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0xc6f217f99c", "WorkerFactoryInformationLength": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.594729", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0xb4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac898", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\CLSID\\{00021401-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.594861", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0xb6", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 468, "NArgs": 2, "WorkerFactoryHandle": "0x1c", "MiniPacket": "0x20ea1e40e80"} +{"Plugin": "syscall", "TimeStamp": "1716999134.595290", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtDuplicateObject", "EventUID": "0xb9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 60, "NArgs": 7, "SourceProcessHandle": "0xffffffffffffffff", "SourceHandle": "0xbe4", "TargetProcessHandle": "0xffffffffffffffff", "TargetHandle": "0x31ed330", "DesiredAccess": "0x0", "HandleAttributes": "0x0", "Options": "0x2"} +{"Plugin": "syscall", "TimeStamp": "1716999134.595337", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0xba", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2572", "ValueName": "NoOplock", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27acee0", "Length": "0x10", "ResultLength": "0x27ace94"} +{"Plugin": "syscall", "TimeStamp": "1716999134.595645", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0xbd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.595798", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xbf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x3", "KeyInformation": "0x27acc70", "Length": "0x188", "ResultLength": "0x27acc4c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.595947", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryObject", "EventUID": "0xc0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 16, "NArgs": 5, "Handle": "0x6dc", "ObjectInformationClass": "0x1", "ObjectInformation": "0x0", "ObjectInformationLength": "0x0", "ReturnLength": "0x31ed438"} +{"Plugin": "syscall", "TimeStamp": "1716999134.607263", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xc3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac890", "Length": "0x4", "ResultLength": "0x27ac8c8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.607593", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryObject", "EventUID": "0xc4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 16, "NArgs": 5, "Handle": "0x6dc", "ObjectInformationClass": "0x1", "ObjectInformation": "0xb8157d0", "ObjectInformationLength": "0xae", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.607894", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0xc7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ac780", "TokenInformationLength": "0x58", "ReturnLength": "0x27ac778"} +{"Plugin": "syscall", "TimeStamp": "1716999134.607936", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryObject", "EventUID": "0xc8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 16, "NArgs": 5, "Handle": "0x6dc", "ObjectInformationClass": "0x4", "ObjectInformation": "0x31ed420", "ObjectInformationLength": "0x2", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.608210", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0xcb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac898", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\CLSID\\{00021401-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.608264", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetInformationObject", "EventUID": "0xcc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 92, "NArgs": 4, "Handle": "0x6dc", "ObjectInformationClass": "0x4", "ObjectInformation": "0x31ed420", "ObjectInformationLength": "0x2"} +{"Plugin": "syscall", "TimeStamp": "1716999134.608623", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenSection", "EventUID": "0xcf", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 55, "NArgs": 3, "SectionHandle": "0x31ed3c8", "DesiredAccess": "0x4", "ObjectAttributes": "RestrictedErrorObject-{E4F7C058-38B2-4C85-64DD-9071BBDC9034}"} +{"Plugin": "syscall", "TimeStamp": "1716999134.608911", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0xd1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2572", "ValueName": "UseInProcHandlerCache", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27acee0", "Length": "0x10", "ResultLength": "0x27ace94"} +{"Plugin": "syscall", "TimeStamp": "1716999134.609144", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0xd2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x554", "Flags": "0x20000", "SendMessage": "0xb547e10", "SendMessageAttributes": "0xb500ec8", "ReceiveMessage": "0xb547e10", "BufferLength": "0x31edcb8", "ReceiveMessageAttributes": "0xb500ec8", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.609468", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xd4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x3", "KeyInformation": "0x27acc70", "Length": "0x188", "ResultLength": "0x27acc4c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.609596", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenFile", "EventUID": "0xd5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 51, "NArgs": 6, "FileHandle": "0x75ce30", "DesiredAccess": "0x100001", "ObjectAttributes": "\\??\\c:\\program files (x86)\\microsoft\\edge\\SystemResources\\msedge.exe.mun", "IoStatusBlock": "0x75cdf0", "ShareAccess": "0x5", "OpenOptions": "0x60"} +{"Plugin": "syscall", "TimeStamp": "1716999134.610163", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xd8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac890", "Length": "0x4", "ResultLength": "0x27ac8c8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.610419", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateDIBitmapInternal", "EventUID": "0xda", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 156, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.610532", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0xdb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ac780", "TokenInformationLength": "0x58", "ReturnLength": "0x27ac778"} +{"Plugin": "syscall", "TimeStamp": "1716999134.610785", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0xde", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.610872", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0xdf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac898", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\CLSID\\{00021401-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.611121", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCforBitmap", "EventUID": "0xe2", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 152, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.611324", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0xe4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2572", "ValueName": "UseOutOfProcHandlerCache", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27acee0", "Length": "0x10", "ResultLength": "0x27ace94"} +{"Plugin": "syscall", "TimeStamp": "1716999134.611425", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSaveDC", "EventUID": "0xe5", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 59, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.611727", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0xe8", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.611813", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0xe9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2572"} +{"Plugin": "syscall", "TimeStamp": "1716999134.612043", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCObject", "EventUID": "0xec", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 53, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.612129", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateEvent", "EventUID": "0xed", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 72, "NArgs": 5, "EventHandle": "0x27ac9e8", "DesiredAccess": "0x1f0003", "ObjectAttributes": "0x0", "EventType": "0x1", "InitialState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.612356", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0xf0", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.612463", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0xf1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0x27acf20"} +{"Plugin": "syscall", "TimeStamp": "1716999134.612582", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0xf3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0x27acf20"} +{"Plugin": "syscall", "TimeStamp": "1716999134.612852", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSetDIBitsToDeviceInternal", "EventUID": "0xf6", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 41, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.613109", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0xf8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x27ad0c8", "DesiredAccess": "0x1f0001", "ObjectAttributes": "0x0", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.613196", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0xf9", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.613456", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateFile", "EventUID": "0xfc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 85, "NArgs": 11, "FileHandle": "0x27acf00", "DesiredAccess": "0x80100080", "ObjectAttributes": "\\??\\C:\\Users\\litter\\Desktop\\Microsoft Edge.lnk", "IoStatusBlock": "0x27acf08", "AllocationSize": "0x0", "FileAttributes": "0x0", "ShareAccess": "0x3", "CreateDisposition": "0x1", "CreateOptions": "0x60", "EaBuffer": "0x0", "EaLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.613617", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0xfd", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.613877", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x100", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.614019", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiRestoreDC", "EventUID": "0x102", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 58, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.614254", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x104", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acde8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.614370", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x106", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.614587", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x108", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.614685", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetDC", "EventUID": "0x109", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 10, "NArgs": 1, "hWnd": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.614996", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReadFile", "EventUID": "0x10c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 6, "NArgs": 9, "FileHandle": "\\Users\\litter\\Desktop\\Microsoft Edge.lnk", "Event": "0x0", "ApcRoutine": "0x0", "ApcContext": "0x0", "IoStatusBlock": "0x27ace60", "Buffer": "0xada3264", "Length": "0x1000", "ByteOffset": "0x0", "Key": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.616392", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateDIBitmapInternal", "EventUID": "0x10d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 156, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.616648", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x110", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acde8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.616761", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserReleaseDC", "EventUID": "0x112", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1196, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.616991", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x114", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.617190", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x116", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.617398", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x118", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.617494", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCforBitmap", "EventUID": "0x119", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 152, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.617739", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x11c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.617823", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSaveDC", "EventUID": "0x11d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 59, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.618057", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x120", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acde8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.618168", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x122", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.618373", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x124", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.618456", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCObject", "EventUID": "0x125", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 53, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.618698", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x128", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acde8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.618808", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x12a", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.619031", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x12c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.619141", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSetDIBitsToDeviceInternal", "EventUID": "0x12e", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 41, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.619368", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x130", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.619450", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x131", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.619724", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x134", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.619810", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x135", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.620043", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x138", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27accf8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.620154", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiRestoreDC", "EventUID": "0x13a", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 58, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.620367", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x13c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.620477", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x13e", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.620697", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x140", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27accf8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.620814", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateCompatibleDC", "EventUID": "0x142", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 84, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.621026", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x144", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.621108", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x145", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.621343", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x148", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.621461", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateBitmap", "EventUID": "0x14a", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 107, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.621753", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x14c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.621861", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x14d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.622081", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x150", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27accf8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.622159", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x151", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.622384", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x154", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.622463", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiBitBlt", "EventUID": "0x155", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 8, "NArgs": 11, "hdcDst": "0x120108a8", "x": "0x0", "y": "0x0", "cx": "0x30", "cy": "0x60", "hdcSrc": "0x401019a", "xSrc": "0x0", "ySrc": "0x0", "rop4": "0xcc0020", "crBackColor": "0xffffffff", "fl": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.622772", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x158", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27accf8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.622865", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x159", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.623099", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x15c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.623170", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x15d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.623390", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x160", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.623461", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x161", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 35, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.623781", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x164", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac018", "Length": "0x4", "ResultLength": "0x27ac028"} +{"Plugin": "syscall", "TimeStamp": "1716999134.623857", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x165", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 35, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.624085", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x168", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac048", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.624257", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserCreateEmptyCursorObject", "EventUID": "0x169", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 956, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.624470", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x16c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2694", "ValueName": "ValidateRegItems", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac100", "Length": "0x10", "ResultLength": "0x27ac0b4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.624571", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSetCursorIconData", "EventUID": "0x16d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 158, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.624882", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUnmapViewOfSection", "EventUID": "0x170", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 42, "NArgs": 2, "ProcessHandle": "0xffffffffffffffff", "BaseAddress": "0x121a0000"} +{"Plugin": "syscall", "TimeStamp": "1716999134.624920", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x171", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.624991", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUnmapViewOfSectionEx", "EventUID": "0x172", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 461, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "BaseAddress": "0x121a0000", "Flags": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.625707", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x176", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac018", "Length": "0x4", "ResultLength": "0x27ac028"} +{"Plugin": "syscall", "TimeStamp": "1716999134.625856", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x178", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x75e908", "Length": "0x4", "ResultLength": "0x75e918"} +{"Plugin": "syscall", "TimeStamp": "1716999134.626004", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x17a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac048", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.626182", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x17c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x75e938", "DesiredAccess": "0x20119", "ObjectAttributes": "\\Software\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.626368", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x17e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2694", "ValueName": "MonitorRegistry", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac100", "Length": "0x10", "ResultLength": "0x27ac0b4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.626542", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetInformationKey", "EventUID": "0x17f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 409, "NArgs": 4, "KeyHandle": "0xbe4", "KeySetInformationClass": "0x5", "KeySetInformation": "0x75e930", "KeySetInformationLength": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.626811", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x182", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "PolicyType", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0x10", "ResultLength": "0x75e9e4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.626881", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x183", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.627196", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x186", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27abb08", "Length": "0x4", "ResultLength": "0x27abb18"} +{"Plugin": "syscall", "TimeStamp": "1716999134.627345", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x188", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "Behavior", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0x10", "ResultLength": "0x75e9e4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.627508", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x189", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abb38", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.627832", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x18c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "MergeAlgorithm", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0x10", "ResultLength": "0x75e9e4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.627878", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x18d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2694", "ValueName": "ValidateRegItems", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27abbf0", "Length": "0x10", "ResultLength": "0x27abba4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.628258", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x190", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "RegKeyPathRedirectMapped", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0x10", "ResultLength": "0x75e9e4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.628325", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x191", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.628621", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x194", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27abb08", "Length": "0x4", "ResultLength": "0x27abb18"} +{"Plugin": "syscall", "TimeStamp": "1716999134.628774", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x196", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "RegKeyPathRedirect", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0xc", "ResultLength": "0x75e9e4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.628938", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x197", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abb38", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.629235", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x19a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "grouppolicyname", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0xc", "ResultLength": "0x75e9e4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.629281", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x19b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2694", "ValueName": "MonitorRegistry", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27abbf0", "Length": "0x10", "ResultLength": "0x27abba4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.629667", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x19e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "ADMXMetadataUser", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0xc", "ResultLength": "0x75e9e4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.629711", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x19f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.630176", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1a2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "ADMXMetadataDevice", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0xc", "ResultLength": "0x75e9e4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.630217", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1a3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.630492", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1a6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ace18"} +{"Plugin": "syscall", "TimeStamp": "1716999134.630637", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1a8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "ADMXMetadataBoth", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0xc", "ResultLength": "0x75e9e4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.630778", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1a9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.631037", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x1ac", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "TerminalServices-RemoteConnectionManager-AllowAppServerMode", "Type": "0x75e9d0", "Buffer": "0x75e9c0", "Length": "0x4", "ReturnedLength": "0x75e9d8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.631120", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationFile", "EventUID": "0x1ad", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 17, "NArgs": 5, "FileHandle": "\\Users\\litter\\Desktop\\Microsoft Edge.lnk", "IoStatusBlock": "0x27acea0", "FileInformation": "0xada42d8", "Length": "0x28", "FileInformationClass": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.631408", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x1b0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Kernel-ProductInfo", "Type": "0x75e884", "Buffer": "0x75e888", "Length": "0x4", "ReturnedLength": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.631489", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationFile", "EventUID": "0x1b1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 17, "NArgs": 5, "FileHandle": "\\Users\\litter\\Desktop\\Microsoft Edge.lnk", "IoStatusBlock": "0x27acea0", "FileInformation": "0xada4300", "Length": "0x18", "FileInformationClass": "0x5"} +{"Plugin": "syscall", "TimeStamp": "1716999134.631755", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x1b4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Kernel-ProductInfoLegacyMapping", "Type": "0x75e884", "Buffer": "0x75e8c0", "Length": "0xc8", "ReturnedLength": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.631796", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1b5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ace18"} +{"Plugin": "syscall", "TimeStamp": "1716999134.632065", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1b8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "30Value", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75e7b0", "Length": "0xc", "ResultLength": "0x75e764"} +{"Plugin": "syscall", "TimeStamp": "1716999134.632116", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1b9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.632419", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1bc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.632569", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1be", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "Value", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0x10", "ResultLength": "0x75e9e4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.632729", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1bf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.633312", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1c2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd58"} +{"Plugin": "syscall", "TimeStamp": "1716999134.633476", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x1c4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.633622", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1c6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.633797", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x1c8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x75e838", "Length": "0x4", "ResultLength": "0x75e848"} +{"Plugin": "syscall", "TimeStamp": "1716999134.633971", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1ca", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd58"} +{"Plugin": "syscall", "TimeStamp": "1716999134.634128", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x1cc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x75e868", "DesiredAccess": "0x20119", "ObjectAttributes": "\\Software\\Microsoft\\PolicyManager\\current\\Device\\DataProtection", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.634325", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1cd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.634593", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetIconInfo", "EventUID": "0x1d0", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 79, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.634629", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1d1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.634880", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1d4", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.634915", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1d5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.635178", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetDC", "EventUID": "0x1d8", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 10, "NArgs": 1, "hWnd": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.635213", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1d9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd58"} +{"Plugin": "syscall", "TimeStamp": "1716999134.635447", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDIBitsInternal", "EventUID": "0x1dc", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 130, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.635481", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1dd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.635729", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserReleaseDC", "EventUID": "0x1e0", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1196, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.635764", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1e1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd58"} +{"Plugin": "syscall", "TimeStamp": "1716999134.636000", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1e4", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.636042", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1e5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.636306", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x1e8", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 35, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.636341", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1e9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.636594", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1ec", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.636639", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1ed", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.636899", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1f0", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.636933", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1f1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.637190", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDIBitsInternal", "EventUID": "0x1f4", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 130, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.637224", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1f5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.637484", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateDIBSection", "EventUID": "0x1f8", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 151, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.637530", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1f9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.637619", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAllocateVirtualMemory", "EventUID": "0x1fa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 24, "NArgs": 6, "ProcessHandle": "0xffffffffffffffff", "*BaseAddress": "0x0", "ZeroBits": "0x0", "RegionSize": "0xfffff5069e7b49c8", "AllocationType": "0x3000", "Protect": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.637839", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1fe", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.638039", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x200", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.638117", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x201", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.638338", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCforBitmap", "EventUID": "0x204", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 152, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.638416", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x205", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.638650", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSaveDC", "EventUID": "0x208", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 59, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.638728", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x209", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.638954", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x20c", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.639045", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x20d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.639287", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCObject", "EventUID": "0x210", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 53, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.639367", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x211", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.639610", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x214", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.639693", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x215", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.639921", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSetDIBitsToDeviceInternal", "EventUID": "0x218", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 41, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.640004", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x219", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.640235", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x21c", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.640327", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x21d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.640558", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x220", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.640651", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x221", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.640882", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiRestoreDC", "EventUID": "0x224", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 58, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.640964", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x225", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.641183", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x228", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.641261", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x229", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.641483", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x22c", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.641573", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x22d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.641806", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x230", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.641884", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x231", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.642105", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x234", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.642182", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x235", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.642401", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x238", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.642478", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x239", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.642729", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x23c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"} +{"Plugin": "syscall", "TimeStamp": "1716999134.642815", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x23d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.643048", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x240", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e700", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.643137", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x241", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.643370", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x244", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e758", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e700", "ClientId": "0x75e6f0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.643480", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x245", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.644761", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x248", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e770"} +{"Plugin": "syscall", "TimeStamp": "1716999134.644846", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x249", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e770"} +{"Plugin": "syscall", "TimeStamp": "1716999134.644922", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x24a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.645271", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x24e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.645349", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x24f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2694", "TokenInformationClass": "0x1", "TokenInformation": "0x75e810", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e790"} +{"Plugin": "syscall", "TimeStamp": "1716999134.645624", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x252", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.645702", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x253", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e6e8", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.645973", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x256", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.646122", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x258", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.646272", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x25a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.646433", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x25c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.646584", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x25e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.646757", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x260", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.646908", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x262", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.647044", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x264", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.647207", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x266", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.647367", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x268", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"} +{"Plugin": "syscall", "TimeStamp": "1716999134.647537", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x26a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.647782", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x26c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e6e0", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.647942", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x26e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.648085", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x270", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e738", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e6e0", "ClientId": "0x75e6d0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.648680", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x272", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.648828", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x274", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e750"} +{"Plugin": "syscall", "TimeStamp": "1716999134.648911", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x275", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e750"} +{"Plugin": "syscall", "TimeStamp": "1716999134.649011", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x276", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.649321", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x27a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xbe4", "TokenInformationClass": "0x1", "TokenInformation": "0x75e7f0", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e770"} +{"Plugin": "syscall", "TimeStamp": "1716999134.649358", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x27b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.649626", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x27e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e6c8", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.649676", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x27f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.649943", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x282", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.649989", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x283", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.650242", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x286", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"} +{"Plugin": "syscall", "TimeStamp": "1716999134.650275", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x287", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.650525", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x28a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.650557", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x28b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.650807", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x28e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.650845", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x28f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.651104", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x292", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.651137", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x293", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.651387", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenFile", "EventUID": "0x296", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 51, "NArgs": 6, "FileHandle": "0x75e7d8", "DesiredAccess": "0x100000", "ObjectAttributes": "\\??\\C:\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer", "IoStatusBlock": "0x75e7f0", "ShareAccess": "0x0", "OpenOptions": "0x800021"} +{"Plugin": "syscall", "TimeStamp": "1716999134.651452", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x297", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.651701", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryVolumeInformationFile", "EventUID": "0x29a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 73, "NArgs": 5, "FileHandle": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer", "IoStatusBlock": "0x75e7f0", "FsInformation": "0x75e830", "Length": "0x18", "FsInformationClass": "0xfc6315f700000003"} +{"Plugin": "syscall", "TimeStamp": "1716999134.651773", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x29b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.652034", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x29e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.652067", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x29f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.652300", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2a2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"} +{"Plugin": "syscall", "TimeStamp": "1716999134.652334", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2a3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.652583", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x2a6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.652620", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2a7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.652880", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2aa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.652930", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2ab", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.653436", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x2ae", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.653473", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2af", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.653530", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x2b0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.653857", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2b4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.653998", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x2b6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2648", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"} +{"Plugin": "syscall", "TimeStamp": "1716999134.654149", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2b8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.654319", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x2ba", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.654471", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2bc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.654624", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2be", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"} +{"Plugin": "syscall", "TimeStamp": "1716999134.654788", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2c0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.654939", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2c2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.655078", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2c4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.655216", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2c6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.655367", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2c8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.655512", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2ca", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.655665", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2cc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.655815", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2ce", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.655955", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2d0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.656102", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x2d2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.656247", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2d4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.656395", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.656853", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2d8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.657008", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x2da", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.657085", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x2db", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.657249", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2dd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.657516", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x2e0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2694", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.657555", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2e1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.657857", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x2e4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.657914", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2e5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.658168", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2e8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.658202", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2e9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.658458", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2ec", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.658496", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2ed", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.658763", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2f0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"} +{"Plugin": "syscall", "TimeStamp": "1716999134.658796", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2f1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.659055", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x2f4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.659094", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2f5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.659357", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2f8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.659393", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2f9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.659652", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2fc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"} +{"Plugin": "syscall", "TimeStamp": "1716999134.659704", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2fd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.659963", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x300", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.660006", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x301", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.660256", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x304", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.660309", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x305", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.660823", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x308", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.660859", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x309", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.660926", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x30a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.661235", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x30e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.661376", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x310", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xbe4", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"} +{"Plugin": "syscall", "TimeStamp": "1716999134.661539", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x312", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.661696", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x314", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.661848", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x316", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.662008", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x318", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.662167", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x31a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.662319", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x31c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"} +{"Plugin": "syscall", "TimeStamp": "1716999134.662461", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x31e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.662612", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x320", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.662777", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x322", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.662928", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x324", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.663071", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x326", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.663224", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x328", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.663379", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x32a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.663537", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x32c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.663709", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x32e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.663860", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x330", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.664575", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x332", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.664853", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x334", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.664896", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x335", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.664971", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x336", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.665315", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x33a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.665470", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x33c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2648", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.665647", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x33e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.665819", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x340", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.665971", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x342", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.666157", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x344", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"} +{"Plugin": "syscall", "TimeStamp": "1716999134.666322", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x346", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.666479", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x348", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.666624", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x34a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.666789", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x34c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.666937", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x34e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.667091", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x350", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.667249", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x352", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.667416", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x354", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.667565", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x356", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.667719", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x358", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"} +{"Plugin": "syscall", "TimeStamp": "1716999134.667866", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x35a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.668021", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x35c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.668183", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x35e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.668337", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x360", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.668749", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x362", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.668905", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x364", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.668986", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x365", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.669103", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x366", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.669435", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x36a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2694", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"} +{"Plugin": "syscall", "TimeStamp": "1716999134.669474", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x36b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.669745", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x36e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.669799", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x36f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.670066", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x372", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.670100", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x373", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.670411", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x376", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.670452", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x377", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.670727", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x37a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.670766", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x37b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.671023", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x37e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.671059", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x37f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.671331", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x382", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"} +{"Plugin": "syscall", "TimeStamp": "1716999134.671365", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x383", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.671621", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x386", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.671659", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x387", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.671916", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x38a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.671970", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x38b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.672489", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x38e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.672526", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x38f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.672660", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x390", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.672986", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x394", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.673126", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x396", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xbe4", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.673283", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x398", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.673521", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x39a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.673672", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x39c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.673824", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x39e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.673964", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3a0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.674113", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3a2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"} +{"Plugin": "syscall", "TimeStamp": "1716999134.674272", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3a4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.674425", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3a6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.674567", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3a8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.674729", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x3aa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.674872", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3ac", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.675020", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3ae", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.675160", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3b0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"} +{"Plugin": "syscall", "TimeStamp": "1716999134.675322", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3b2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"} +{"Plugin": "syscall", "TimeStamp": "1716999134.675480", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3b4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.675634", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x3b6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.675797", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3b8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.675948", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3ba", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.676373", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x3bc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0x27acd60"} +{"Plugin": "syscall", "TimeStamp": "1716999134.676454", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x3bd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0x27acd60"} +{"Plugin": "syscall", "TimeStamp": "1716999134.676574", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x3be", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.676694", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x3c0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.677014", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x3c4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0x27ace00"} +{"Plugin": "syscall", "TimeStamp": "1716999134.677095", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x3c5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0x27ace00"} +{"Plugin": "syscall", "TimeStamp": "1716999134.677197", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x3c6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2648", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"} +{"Plugin": "syscall", "TimeStamp": "1716999134.677532", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x3ca", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.677580", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x3cb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27abca8", "Length": "0x4", "ResultLength": "0x27abcb8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.677848", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3ce", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"} +{"Plugin": "syscall", "TimeStamp": "1716999134.677883", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x3cf", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abcd8", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.678173", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3d2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.678211", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x3d3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x14a8", "ValueName": "ValidateRegItems", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27abd90", "Length": "0x10", "ResultLength": "0x27abd44"} +{"Plugin": "syscall", "TimeStamp": "1716999134.678505", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3d6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.678679", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3d8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x14a8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.678829", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3da", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.678989", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x3dc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27abca8", "Length": "0x4", "ResultLength": "0x27abcb8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.679145", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3de", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.679288", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x3e0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abcd8", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.679466", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x3e2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.679954", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3e4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.680011", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x3e5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x14a8", "ValueName": "MonitorRegistry", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27abd90", "Length": "0x10", "ResultLength": "0x27abd44"} +{"Plugin": "syscall", "TimeStamp": "1716999134.680536", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x3e8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.680615", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x3e9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.680731", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3ea", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x14a8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.681133", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x3ee", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2694", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.681341", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAllocateVirtualMemory", "EventUID": "0x3f0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "NArgs": 6, "ProcessHandle": "0xffffffffffffffff", "*BaseAddress": "0x507000", "ZeroBits": "0x0", "RegionSize": "0x27abb10", "AllocationType": "0x1000", "Protect": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.681523", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x3f2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.681868", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3f4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.681902", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAllocateVirtualMemory", "EventUID": "0x3f5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "NArgs": 6, "ProcessHandle": "0xffffffffffffffff", "*BaseAddress": "0xb8fc000", "ZeroBits": "0x0", "RegionSize": "0x27a9730", "AllocationType": "0x1000", "Protect": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.682206", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3f8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.682538", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3fa", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.682684", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3fc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"} +{"Plugin": "syscall", "TimeStamp": "1716999134.682824", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3fe", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2638"} +{"Plugin": "syscall", "TimeStamp": "1716999134.682992", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x400", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.683132", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x402", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.683283", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x404", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.683432", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x406", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.683599", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x408", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"} +{"Plugin": "syscall", "TimeStamp": "1716999134.683796", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x40a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac428", "Length": "0x4", "ResultLength": "0x27ac438"} +{"Plugin": "syscall", "TimeStamp": "1716999134.683943", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x40c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.684089", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x40e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac458", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.684268", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x410", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.684679", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x412", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b0", "ValueName": "ValidateRegItems", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac510", "Length": "0x10", "ResultLength": "0x27ac4c4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.684814", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x413", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.684895", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x414", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.685212", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x418", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.685357", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x41a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xbe4", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"} +{"Plugin": "syscall", "TimeStamp": "1716999134.685503", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x41c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac428", "Length": "0x4", "ResultLength": "0x27ac438"} +{"Plugin": "syscall", "TimeStamp": "1716999134.685676", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x41e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.685817", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x420", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac458", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.685988", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x422", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.686131", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x424", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b0", "ValueName": "MonitorRegistry", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac510", "Length": "0x10", "ResultLength": "0x27ac4c4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.686271", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x425", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"} +{"Plugin": "syscall", "TimeStamp": "1716999134.686555", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x428", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.686589", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x429", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.686861", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x42c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27abf18", "Length": "0x4", "ResultLength": "0x27abf28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.686903", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x42d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.687166", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x430", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abf48", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.687217", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x431", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.687480", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x434", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b0", "ValueName": "ValidateRegItems", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac000", "Length": "0x10", "ResultLength": "0x27abfb4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.687522", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x435", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.687820", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x438", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.688232", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x43a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.688377", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x43c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.688467", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x43d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.688576", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x43e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27abf18", "Length": "0x4", "ResultLength": "0x27abf28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.688892", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x442", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abf48", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.688944", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x443", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2648", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.689196", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x446", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b0", "ValueName": "MonitorRegistry", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac000", "Length": "0x10", "ResultLength": "0x27abfb4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.689238", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x447", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.689540", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x44a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"} +{"Plugin": "syscall", "TimeStamp": "1716999134.689686", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x44c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.689861", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x44e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.690033", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x450", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27acf28", "Length": "0x4", "ResultLength": "0x27acf38"} +{"Plugin": "syscall", "TimeStamp": "1716999134.690117", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x451", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.690350", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x454", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27acf58", "DesiredAccess": "0x20119", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.690479", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x455", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.690708", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetInformationKey", "EventUID": "0x458", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 409, "NArgs": 4, "KeyHandle": "0x8b0", "KeySetInformationClass": "0x5", "KeySetInformation": "0x27acf50", "KeySetInformationLength": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.690811", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x459", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.691043", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x45c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x8b0", "KeyInformationClass": "0x4", "KeyInformation": "0x27aced0", "Length": "0x28", "ResultLength": "0x27acda0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.691129", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x45d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"} +{"Plugin": "syscall", "TimeStamp": "1716999134.691434", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x460", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.691515", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x461", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.691761", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x464", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.691884", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x465", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 49, "NArgs": 2, "PerformanceCounter": "0x27ac900", "PerformanceFrequency": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.692309", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x468", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.692395", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x469", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x27ac4d8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.692431", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x46a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.692555", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x46b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x27ac4d8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.692942", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x470", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2694", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"} +{"Plugin": "syscall", "TimeStamp": "1716999134.693028", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x471", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x8b0", "TokenInformationClass": "0x12", "TokenInformation": "0x27ac4bc", "TokenInformationLength": "0x4", "ReturnLength": "0x27ac4cc"} +{"Plugin": "syscall", "TimeStamp": "1716999134.693238", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x474", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.693500", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x477", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.693581", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x478", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"} +{"Plugin": "syscall", "TimeStamp": "1716999134.693803", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x47b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x27abf20", "Length": "0x180", "ResultLength": "0x27abf0c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.693886", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x47c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.694193", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x47f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.694267", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x480", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abb50", "Length": "0x4", "ResultLength": "0x27abb88"} +{"Plugin": "syscall", "TimeStamp": "1716999134.694505", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x483", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.694580", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x484", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abac8", "Length": "0x4", "ResultLength": "0x27abad8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.694803", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x487", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"} +{"Plugin": "syscall", "TimeStamp": "1716999134.694882", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x488", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abb58", "DesiredAccess": "0x20019", "ObjectAttributes": "\\.exe", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.695180", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x48b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.697389", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x48d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.698139", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x48f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.698305", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x490", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.698939", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x493", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2638", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.699431", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x495", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.699788", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x497", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2638"} +{"Plugin": "syscall", "TimeStamp": "1716999134.700167", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x499", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.700454", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x49b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x14a8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.700745", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x49d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.701021", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x49f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.701322", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x4a1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"} +{"Plugin": "syscall", "TimeStamp": "1716999134.701623", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x4a3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.701921", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4a5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.702481", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x4a7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.702561", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x4a8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"} +{"Plugin": "syscall", "TimeStamp": "1716999134.703059", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x4ab", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x8b0", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"} +{"Plugin": "syscall", "TimeStamp": "1716999134.703356", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x4ad", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.703746", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4af", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.704042", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4b1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x14a8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.704359", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x4b3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.705967", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x4b5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.706350", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4b7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2638"} +{"Plugin": "syscall", "TimeStamp": "1716999134.706706", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x4b9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.706937", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4bb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.707829", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x4bd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.707979", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x4be", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"} +{"Plugin": "syscall", "TimeStamp": "1716999134.708400", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x4c1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x14a8", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.708763", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x4c3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.709242", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4c5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x14a8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.709554", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4c7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2638"} +{"Plugin": "syscall", "TimeStamp": "1716999134.709923", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4c9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.710238", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x4cb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.710534", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x4cd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.711886", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetRandomRgn", "EventUID": "0x4d0", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 43, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.712359", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiIntersectClipRect", "EventUID": "0x4d2", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.712872", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetRandomRgn", "EventUID": "0x4d4", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 43, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.713205", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiBitBlt", "EventUID": "0x4d6", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 8, "NArgs": 11, "hdcDst": "0x710107cc", "x": "0x0", "y": "0x0", "cx": "0x400", "cy": "0x2d8", "hdcSrc": "0x610108f5", "xSrc": "0x0", "ySrc": "0x0", "rop4": "0xcc0020", "crBackColor": "0xffffffff", "fl": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.714358", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetRandomRgn", "EventUID": "0x4d8", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 43, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.714680", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiIntersectClipRect", "EventUID": "0x4da", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.714989", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExcludeClipRect", "EventUID": "0x4dc", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 150, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.715423", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4de", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.715760", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e0", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.717243", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e2", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.717664", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e4", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.717997", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e6", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.718237", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtFindAtom", "EventUID": "0x4e8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 20, "NArgs": 3, "AtomName": "0x7ffbc1f85250", "Length": "0x1c", "Atom": "0x16d5e0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.718577", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4eb", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.719162", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserKillTimer", "EventUID": "0x4ed", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 27, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.719503", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetAppClipBox", "EventUID": "0x4ef", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 67, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.720141", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateCompatibleDC", "EventUID": "0x4f1", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 84, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.720481", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x4f3", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.720888", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiBitBlt", "EventUID": "0x4f5", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 8, "NArgs": 11, "hdcDst": "0x710107cc", "x": "0x0", "y": "0x2d8", "cx": "0x400", "cy": "0x28", "hdcSrc": "0x2401075f", "xSrc": "0x0", "ySrc": "0x2d8", "rop4": "0xcc0020", "crBackColor": "0xffffffff", "fl": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.721340", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x4f7", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.721642", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x4f8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abb68", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\.exe", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.722218", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x4fb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x264a", "KeyInformationClass": "0x3", "KeyInformation": "0x27abe70", "Length": "0x188", "ResultLength": "0x27abe4c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.722351", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x4fc", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 35, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.722634", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x4ff", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x264a", "KeyInformationClass": "0x7", "KeyInformation": "0x27aba90", "Length": "0x4", "ResultLength": "0x27abac8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.722674", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x500", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x16ce58", "Length": "0x4", "ResultLength": "0x16ce68"} +{"Plugin": "syscall", "TimeStamp": "1716999134.722946", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x503", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ab980", "TokenInformationLength": "0x58", "ReturnLength": "0x27ab978"} +{"Plugin": "syscall", "TimeStamp": "1716999134.723001", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x504", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16ce88", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.723388", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x507", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27aba98", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\.exe", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.723433", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x508", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b0", "ValueName": "DisplayVersion", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x16cf40", "Length": "0x10", "ResultLength": "0x16cef4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.723864", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x50b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x264a", "ValueName": "0x27ac228", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac0e0", "Length": "0x90", "ResultLength": "0x27ac094"} +{"Plugin": "syscall", "TimeStamp": "1716999134.723924", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x50c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.724194", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x50f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0x16d190", "DesiredAccess": "0x82000000", "ObjectAttributes": "\\Registry\\Machine\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\2BD63D28D7BCD0E251195AEB519243C13142EBC3"} +{"Plugin": "syscall", "TimeStamp": "1716999134.724369", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x510", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x27abe90", "Length": "0x180", "ResultLength": "0x27abe7c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.724658", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x513", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0x16d190", "DesiredAccess": "0x82000000", "ObjectAttributes": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates\\2BD63D28D7BCD0E251195AEB519243C13142EBC3"} +{"Plugin": "syscall", "TimeStamp": "1716999134.724817", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x514", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abac0", "Length": "0x4", "ResultLength": "0x27abaf8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.725113", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x517", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27aba38", "Length": "0x4", "ResultLength": "0x27aba48"} +{"Plugin": "syscall", "TimeStamp": "1716999134.725150", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x518", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x16d020", "TokenInformationLength": "0x58", "ReturnLength": "0x16d018"} +{"Plugin": "syscall", "TimeStamp": "1716999134.725432", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x51b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abac8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\exefile", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.725536", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x51c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0x16d190", "DesiredAccess": "0x82000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001\\\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates\\2BD63D28D7BCD0E251195AEB519243C13142EBC3"} +{"Plugin": "syscall", "TimeStamp": "1716999134.725944", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x51f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abad8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\exefile", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.725986", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x520", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2cc", "KeyInformationClass": "0x7", "KeyInformation": "0x16cdf8", "Length": "0x4", "ResultLength": "0x16ce08"} +{"Plugin": "syscall", "TimeStamp": "1716999134.726232", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x523", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x3", "KeyInformation": "0x27abe20", "Length": "0x180", "ResultLength": "0x27abe0c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.726268", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x524", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16ce28", "DesiredAccess": "0x1", "ObjectAttributes": "\\Control Panel\\Desktop", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.726661", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x527", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b0", "ValueName": "PaintDesktopVersion", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x16cee0", "Length": "0x10", "ResultLength": "0x16ce94"} +{"Plugin": "syscall", "TimeStamp": "1716999134.726837", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x528", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x7", "KeyInformation": "0x27aba50", "Length": "0x4", "ResultLength": "0x27aba88"} +{"Plugin": "syscall", "TimeStamp": "1716999134.727126", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x52b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ab940", "TokenInformationLength": "0x58", "ReturnLength": "0x27ab938"} +{"Plugin": "syscall", "TimeStamp": "1716999134.727170", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x52c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.727447", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x52f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27aba58", "DesiredAccess": "0x1", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\exefile\\CurVer", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.727500", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQuerySystemInformation", "EventUID": "0x530", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 54, "NArgs": 4, "SystemInformationClass": "0x67", "SystemInformation": "0x16d150", "SystemInformationLength": "0x8", "ReturnLength": "0x16d158"} +{"Plugin": "syscall", "TimeStamp": "1716999134.727906", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x535", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x7", "KeyInformation": "0x27ab9c8", "Length": "0x4", "ResultLength": "0x27ab9d8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.728090", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQuerySystemInformation", "EventUID": "0x537", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 54, "NArgs": 4, "SystemInformationClass": "0x86", "SystemInformation": "0x16d050", "SystemInformationLength": "0x20", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.728214", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x539", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27aba68", "DesiredAccess": "0x1", "ObjectAttributes": "\\CurVer", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.728551", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x53c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Security-SPP-FlexibleClipEnabled", "Type": "0x0", "Buffer": "0xfffff506a06aa0bc", "Length": "0x4", "ReturnedLength": "0xfffff506a06aa0e4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.728778", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x53e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Virtualization-AllowInheritance", "Type": "0x0", "Buffer": "0xfffff506a06aa034", "Length": "0x4", "ReturnedLength": "0xfffff506a06aa03c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.728862", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x53f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x3", "KeyInformation": "0x27abe80", "Length": "0x180", "ResultLength": "0x27abe6c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.728999", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x541", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Security-SPP-IgnoreDeferredActivation", "Type": "0x0", "Buffer": "0xfffff506a06aa0d0", "Length": "0x4", "ReturnedLength": "0xfffff506a06aa0cc"} +{"Plugin": "syscall", "TimeStamp": "1716999134.729185", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x544", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0xfffff506a06aa040", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\ProductOptions"} +{"Plugin": "syscall", "TimeStamp": "1716999134.729363", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x546", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06aa070"} +{"Plugin": "syscall", "TimeStamp": "1716999134.729445", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x547", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abab0", "Length": "0x4", "ResultLength": "0x27abae8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.729698", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x54a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0xffff810d86902610", "Length": "0x66", "ResultLength": "0xfffff506a06aa070"} +{"Plugin": "syscall", "TimeStamp": "1716999134.729792", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x54b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ab9a0", "TokenInformationLength": "0x58", "ReturnLength": "0x27ab998"} +{"Plugin": "syscall", "TimeStamp": "1716999134.730025", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x54e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80000708"} +{"Plugin": "syscall", "TimeStamp": "1716999134.730096", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x54f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abab8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\exefile", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.730336", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x552", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0xfffff506a06aa040", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\ProductOptions"} +{"Plugin": "syscall", "TimeStamp": "1716999134.730509", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x554", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06aa070"} +{"Plugin": "syscall", "TimeStamp": "1716999134.730586", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x555", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x7", "KeyInformation": "0x27aba28", "Length": "0x4", "ResultLength": "0x27aba38"} +{"Plugin": "syscall", "TimeStamp": "1716999134.730846", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x558", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0xffff810d86902610", "Length": "0x66", "ResultLength": "0xfffff506a06aa070"} +{"Plugin": "syscall", "TimeStamp": "1716999134.730925", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x559", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abac8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.731159", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x55c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80000708"} +{"Plugin": "syscall", "TimeStamp": "1716999134.731237", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x55d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe6"} +{"Plugin": "syscall", "TimeStamp": "1716999134.731586", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x560", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000158", "ValueName": "BCAD88B8AD93307DF004940AC03E83B40FEDF759EFA4CEC43530389481543307", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9cc0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.731708", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x561", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac190", "Length": "0x188", "ResultLength": "0x27ac16c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.731974", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x564", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0xfffff506a06a9f30", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Hvsi"} +{"Plugin": "syscall", "TimeStamp": "1716999134.732186", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x566", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "DisableLicensingVdevForWDAG", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9ee0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.732286", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x567", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x7", "KeyInformation": "0x27abdb0", "Length": "0x4", "ResultLength": "0x27abde8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.732538", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateKey", "EventUID": "0x56a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 7, "KeyHandle": "0xfffff506a06a9ef0", "DesiredAccess": "0xf003f", "ObjectAttributes": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Hvsi", "TitleIndex": "0x0", "Class": "0x0", "CreateOptions": "0x0", "Disposition": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.732729", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x56b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27abca0", "TokenInformationLength": "0x58", "ReturnLength": "0x27abc98"} +{"Plugin": "syscall", "TimeStamp": "1716999134.732891", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x56e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80002420", "ValueName": "HostRedirect", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9ea0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.733066", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x56f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abdb8", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\exefile", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.733185", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x571", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80002420", "ValueName": "IsHvsiContainer", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9ea0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.733470", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x574", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80002420"} +{"Plugin": "syscall", "TimeStamp": "1716999134.733546", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x575", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2696", "ValueName": "IsShortcut", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac400", "Length": "0xc", "ResultLength": "0x27ac3b4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.733806", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x578", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80000708"} +{"Plugin": "syscall", "TimeStamp": "1716999134.733980", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x579", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac0f0", "Length": "0x180", "ResultLength": "0x27ac0dc"} +{"Plugin": "syscall", "TimeStamp": "1716999134.734524", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQuerySystemInformation", "EventUID": "0x57d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 54, "NArgs": 4, "SystemInformationClass": "0x86", "SystemInformation": "0x16d050", "SystemInformationLength": "0x20", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.734610", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x57e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd20", "Length": "0x4", "ResultLength": "0x27abd58"} +{"Plugin": "syscall", "TimeStamp": "1716999134.734910", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x582", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27abc10", "TokenInformationLength": "0x58", "ReturnLength": "0x27abc08"} +{"Plugin": "syscall", "TimeStamp": "1716999134.734952", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x583", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Security-SPP-FlexibleClipEnabled", "Type": "0x0", "Buffer": "0xfffff506a06aa0bc", "Length": "0x4", "ReturnedLength": "0xfffff506a06aa0e4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.735152", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x586", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Virtualization-AllowInheritance", "Type": "0x0", "Buffer": "0xfffff506a06aa034", "Length": "0x4", "ReturnedLength": "0xfffff506a06aa03c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.735318", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x588", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd28", "DesiredAccess": "0x1", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\exefile\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.735393", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x589", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Security-SPP-IgnoreDeferredActivation", "Type": "0x0", "Buffer": "0xfffff506a06aa0d0", "Length": "0x4", "ReturnedLength": "0xfffff506a06aa0cc"} +{"Plugin": "syscall", "TimeStamp": "1716999134.735558", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x58b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0xfffff506a06aa040", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\ProductOptions"} +{"Plugin": "syscall", "TimeStamp": "1716999134.735749", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x58e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06aa070"} +{"Plugin": "syscall", "TimeStamp": "1716999134.735875", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x58f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x7", "KeyInformation": "0x27abc98", "Length": "0x4", "ResultLength": "0x27abca8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.736079", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x592", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0xffff810d86902610", "Length": "0x66", "ResultLength": "0xfffff506a06aa070"} +{"Plugin": "syscall", "TimeStamp": "1716999134.736210", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x593", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd38", "DesiredAccess": "0x1", "ObjectAttributes": "\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.736428", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x595", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80000708"} +{"Plugin": "syscall", "TimeStamp": "1716999134.736773", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x598", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x264a", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac110", "Length": "0x180", "ResultLength": "0x27ac0fc"} +{"Plugin": "syscall", "TimeStamp": "1716999134.736815", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x599", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0xfffff506a06aa040", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\ProductOptions"} +{"Plugin": "syscall", "TimeStamp": "1716999134.736992", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x59b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06aa070"} +{"Plugin": "syscall", "TimeStamp": "1716999134.737290", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x59e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x264a", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd40", "Length": "0x4", "ResultLength": "0x27abd78"} +{"Plugin": "syscall", "TimeStamp": "1716999134.737329", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x59f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0xffff810d86902610", "Length": "0x66", "ResultLength": "0xfffff506a06aa070"} +{"Plugin": "syscall", "TimeStamp": "1716999134.737663", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x5a2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27abc30", "TokenInformationLength": "0x58", "ReturnLength": "0x27abc28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.737701", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5a3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80000708"} +{"Plugin": "syscall", "TimeStamp": "1716999134.738053", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5a6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd48", "DesiredAccess": "0x1", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.738113", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5a7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000158", "ValueName": "BCAD88B8AD93307DF004940AC03E83B40FEDF759EFA4CEC43530389481543307", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9cc0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.738413", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x5aa", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0xfffff506a06a9f30", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Hvsi"} +{"Plugin": "syscall", "TimeStamp": "1716999134.738653", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5ac", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x264a", "KeyInformationClass": "0x7", "KeyInformation": "0x27abcb8", "Length": "0x4", "ResultLength": "0x27abcc8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.738692", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5ad", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "DisableLicensingVdevForWDAG", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9ee0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.738999", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5b0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd58", "DesiredAccess": "0x1", "ObjectAttributes": "\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.739066", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateKey", "EventUID": "0x5b1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 7, "KeyHandle": "0xfffff506a06a9ef0", "DesiredAccess": "0xf003f", "ObjectAttributes": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Hvsi", "TitleIndex": "0x0", "Class": "0x0", "CreateOptions": "0x0", "Disposition": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.739259", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5b3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80002420", "ValueName": "HostRedirect", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9ea0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.739616", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5b6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x27abf50", "Length": "0x180", "ResultLength": "0x27abf3c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.739657", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5b7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80002420", "ValueName": "IsHvsiContainer", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9ea0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.739951", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5ba", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80002420"} +{"Plugin": "syscall", "TimeStamp": "1716999134.740082", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5bb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abb80", "Length": "0x4", "ResultLength": "0x27abbb8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.740304", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5be", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80000708"} +{"Plugin": "syscall", "TimeStamp": "1716999134.740427", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5bf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abaf8", "Length": "0x4", "ResultLength": "0x27abb08"} +{"Plugin": "syscall", "TimeStamp": "1716999134.741010", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5c3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abb88", "DesiredAccess": "0x20019", "ObjectAttributes": "\\SystemFileAssociations\\.exe", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.741108", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSystemParametersInfo", "EventUID": "0x5c4", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 66, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.741435", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSetTimer", "EventUID": "0x5c7", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.741538", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5c8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abb98", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\SystemFileAssociations\\.exe", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.741856", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserEndPaint", "EventUID": "0x5cb", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.741966", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5cc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac100", "Length": "0x180", "ResultLength": "0x27ac0ec"} +{"Plugin": "syscall", "TimeStamp": "1716999134.742654", "PID": 5740, "PPID": 5640, "TID": 5904, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x5cf", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xffffffff80000758", "PreviousState": "0xfffff5069eb0c010"} +{"Plugin": "syscall", "TimeStamp": "1716999134.742884", "PID": 5740, "PPID": 5640, "TID": 5904, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForMultipleObjects", "EventUID": "0x5d2", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 91, "NArgs": 5, "Count": "0x4", "Handles[]": "0xfffff5069eb0c910", "WaitType": "0x1", "Alertable": "0x1", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.743167", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtCancelTimer", "EventUID": "0x5d4", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 97, "NArgs": 2, "TimerHandle": "0x288", "CurrentState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.743229", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5d5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd30", "Length": "0x4", "ResultLength": "0x27abd68"} +{"Plugin": "syscall", "TimeStamp": "1716999134.743510", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5d8", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0x274", "Alertable": "0x0", "Timeout": "0x86900ffb98"} +{"Plugin": "syscall", "TimeStamp": "1716999134.743548", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x5d9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27abc20", "TokenInformationLength": "0x58", "ReturnLength": "0x27abc18"} +{"Plugin": "syscall", "TimeStamp": "1716999134.743814", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5dc", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0x26c", "Alertable": "0x0", "Timeout": "0x86900ffb98"} +{"Plugin": "syscall", "TimeStamp": "1716999134.743850", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5dd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd38", "DesiredAccess": "0x1", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\SystemFileAssociations\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.744180", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5e0", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0x288", "Alertable": "0x0", "Timeout": "0x86900ffb98"} +{"Plugin": "syscall", "TimeStamp": "1716999134.744325", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5e2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abca8", "Length": "0x4", "ResultLength": "0x27abcb8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.744488", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5e4", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0xffc", "Alertable": "0x0", "Timeout": "0x86900ffb98"} +{"Plugin": "syscall", "TimeStamp": "1716999134.744630", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5e6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd48", "DesiredAccess": "0x1", "ObjectAttributes": "\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.744800", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDISetSyncRefreshCountWaitTarget", "EventUID": "0x5e7", "Module": "win32k", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 586, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.745104", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForMultipleObjects", "EventUID": "0x5ea", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 91, "NArgs": 5, "Count": "0x2", "Handles[]": "0x86900ffc68", "WaitType": "0x1", "Alertable": "0x0", "Timeout": "0x86900ff910"} +{"Plugin": "syscall", "TimeStamp": "1716999134.745270", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5eb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac020", "Length": "0x180", "ResultLength": "0x27ac00c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.745402", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCallbackReturn", "EventUID": "0x5ec", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 5, "NArgs": 3, "OutputBuffer": "0x16f630", "OutputLength": "0x18", "Status": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.745660", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x5ef", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.745734", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5f0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x7", "KeyInformation": "0x27abc50", "Length": "0x4", "ResultLength": "0x27abc88"} +{"Plugin": "syscall", "TimeStamp": "1716999134.745837", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x5f2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 419, "NArgs": 6, "IoCompletionHandle": "0xffffffff8000189c", "IoCompletionReserveHandle": "0xffffffff80000b24", "KeyContext": "0x0", "ApcContext": "0x2", "IoStatus": "0xfffff50600000000", "IoStatusInformation": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.745986", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x5f4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff8000189c", "IoCompletionInformation": "0xfffff5069e502898", "Count": "0x1", "NumEntriesRemoved": "0xfffff5069e5026bc", "Timeout": "0xfffff5069e5026d8", "Alertable": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.746058", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x5f5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27abb40", "TokenInformationLength": "0x58", "ReturnLength": "0x27abb38"} +{"Plugin": "syscall", "TimeStamp": "1716999134.746314", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x5f9", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.746353", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5fa", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abc58", "DesiredAccess": "0x1", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\exefile\\Clsid", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.746688", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x5fd", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.746821", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5ff", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x7", "KeyInformation": "0x27abbc8", "Length": "0x4", "ResultLength": "0x27abbd8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.746975", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x601", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.747103", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x603", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abc68", "DesiredAccess": "0x1", "ObjectAttributes": "\\Clsid", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.747271", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x604", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.747538", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x607", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.747583", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x608", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac170", "Length": "0x180", "ResultLength": "0x27ac15c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.747905", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x60b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0x1304", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.747984", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x60c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abda0", "Length": "0x4", "ResultLength": "0x27abdd8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.748283", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x60f", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.748363", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x610", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x43c", "Flags": "0x20000", "SendMessage": "0xb54e470", "SendMessageAttributes": "0x23eff58", "ReceiveMessage": "0xb54e470", "BufferLength": "0xc17e5d8", "ReceiveMessageAttributes": "0x23eff58", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.748433", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x611", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 419, "NArgs": 6, "IoCompletionHandle": "0xffffffff8000189c", "IoCompletionReserveHandle": "0xffffffff80000b24", "KeyContext": "0x0", "ApcContext": "0x2", "IoStatus": "0xffff806700000000", "IoStatusInformation": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.748737", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x613", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff8000189c", "IoCompletionInformation": "0xfffff5069e502898", "Count": "0x1", "NumEntriesRemoved": "0xfffff5069e5026bc", "Timeout": "0xfffff5069e5026d8", "Alertable": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.749019", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x617", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 137, "NArgs": 5, "PortHandle": "0x104", "PortInformationClass": "0x0", "PortInformation": "0x435237f548", "Length": "0x10", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.749202", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x619", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.749340", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x61b", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x104", "Flags": "0x0", "SendMessage": "0x0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x16a346dd670", "BufferLength": "0x435237f538", "ReceiveMessageAttributes": "0x435237f558", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.749519", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x61d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.749679", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x61f", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0x435237f458", "WorkerFactoryInformationLength": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.749875", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x621", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.750023", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x623", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x16a34b70dc8", "ThreadInformationLength": "0x8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.750191", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x625", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.750399", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x627", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x435237f270", "ThreadInformationLength": "0x8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.750551", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x629", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.750692", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x62b", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0x435237f65c", "WorkerFactoryInformationLength": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.750885", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x62d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.751009", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0x62f", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 468, "NArgs": 2, "WorkerFactoryHandle": "0x1c", "MiniPacket": "0x16a351ae930"} +{"Plugin": "syscall", "TimeStamp": "1716999134.751225", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x631", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.751458", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x633", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xf50"} +{"Plugin": "syscall", "TimeStamp": "1716999134.751614", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x635", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.751767", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x637", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x19c4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.751941", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x639", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.752080", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x63b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x12c0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.752237", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x63d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.752395", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCancelWaitCompletionPacket", "EventUID": "0x63f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 149, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.752556", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x641", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.752704", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x643", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2714"} +{"Plugin": "syscall", "TimeStamp": "1716999134.752860", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x645", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.753010", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x647", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x19c0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.753166", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x649", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.753297", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x64b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x26fc"} +{"Plugin": "syscall", "TimeStamp": "1716999134.753535", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x64d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.753671", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCancelWaitCompletionPacket", "EventUID": "0x64f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 149, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.753827", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x651", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.753958", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x653", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x1484"} +{"Plugin": "syscall", "TimeStamp": "1716999134.754125", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x655", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 19, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.754259", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x657", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x263c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.754418", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x659", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.754557", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x65b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x13f0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.754794", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x65d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.754931", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCancelWaitCompletionPacket", "EventUID": "0x65f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 149, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.755091", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x661", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.755238", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x663", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x1820"} +{"Plugin": "syscall", "TimeStamp": "1716999134.755400", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x665", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.755564", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x667", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x13a4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.755722", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x669", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.755857", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x66b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x138c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.756023", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x66d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.756188", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x66f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.756401", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x671", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.756570", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x673", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x268c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.756757", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x675", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.757015", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x677", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0xc17e1a8", "Length": "0x4", "ResultLength": "0xc17e1b8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.757168", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x679", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.757321", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x67b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0xc17e1d8", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.757543", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x67d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 19, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.757959", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x67f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x268c", "ValueName": "NoStrCmpLogical", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0xc17e220", "Length": "0x10", "ResultLength": "0xc17e1d4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.758500", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x682", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x268c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.758538", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x683", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ffca0", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.758825", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x686", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2cc", "KeyInformationClass": "0x7", "KeyInformation": "0xc17e1a8", "Length": "0x4", "ResultLength": "0xc17e1b8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.758864", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x687", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.759157", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x68a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0xc17e1d8", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.759207", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x68b", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 49, "NArgs": 2, "PerformanceCounter": "0x86900ffa40", "PerformanceFrequency": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.759497", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetTimerEx", "EventUID": "0x68e", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 432, "NArgs": 4, "TimerHandle": "0x280", "TimerSetInformationClass": "0x0", "TimerSetInformation": "0x86900ff950", "TimerSetInformationLength": "0x30"} +{"Plugin": "syscall", "TimeStamp": "1716999134.759698", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryWnfStateData", "EventUID": "0x690", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 356, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.759733", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionBeginFrame", "EventUID": "0x691", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 286, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.759810", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x692", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "NArgs": 1, "EventHandle": "0xffffffff80000758"} +{"Plugin": "syscall", "TimeStamp": "1716999134.760078", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x696", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0xc17c490"} +{"Plugin": "syscall", "TimeStamp": "1716999134.760170", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x697", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0xc17c490"} +{"Plugin": "syscall", "TimeStamp": "1716999134.760285", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionGetConnectionBatch", "EventUID": "0x698", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 305, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.760619", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x69c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0xc17c510"} +{"Plugin": "syscall", "TimeStamp": "1716999134.760656", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x69d", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0x450", "IoCompletionInformation": "0x86900ff400", "Count": "0x1", "NumEntriesRemoved": "0x86900ff3f0", "Timeout": "0x86900ff3f8", "Alertable": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.760732", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x69e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0xc17c510"} +{"Plugin": "syscall", "TimeStamp": "1716999134.761075", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForMultipleObjects", "EventUID": "0x6a2", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 91, "NArgs": 5, "Count": "0x1", "Handles[]": "0x1c25606f540", "WaitType": "0x1", "Alertable": "0x0", "Timeout": "0x86900fef50"} +{"Plugin": "syscall", "TimeStamp": "1716999134.761243", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6a4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0xc17dfb0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.761321", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6a5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0xc17dfb0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.761388", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x6a6", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0x450", "IoCompletionInformation": "0x86900ff400", "Count": "0x1", "NumEntriesRemoved": "0x86900ff3f0", "Timeout": "0x86900ff3f8", "Alertable": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.761715", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6aa", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ff770", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.761805", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6ab", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x17", "ProcessInformation": "0xc17d4e0", "ProcessInformationLength": "0x24", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.762076", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionGetFrameLegacyTokens", "EventUID": "0x6ae", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 307, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.762154", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6af", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0xc17dfb0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.762259", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6b1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0xc17dfb0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.762507", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiHLSurfGetInformation", "EventUID": "0x6b4", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 733, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.762717", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6b6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x17", "ProcessInformation": "0xc17d4e0", "ProcessInformationLength": "0x24", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.762801", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiGetRegionData", "EventUID": "0x6b7", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 64, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.763053", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6ba", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0xc17dc30"} +{"Plugin": "syscall", "TimeStamp": "1716999134.763147", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6bb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0xc17dc30"} +{"Plugin": "syscall", "TimeStamp": "1716999134.763224", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiGetRegionData", "EventUID": "0x6bc", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 64, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.763574", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x6c0", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 35, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.763662", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6c1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x17", "ProcessInformation": "0xc17dc30", "ProcessInformationLength": "0x24", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.763972", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionGetFrameSurfaceUpdates", "EventUID": "0x6c4", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 309, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.764056", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryWnfStateData", "EventUID": "0x6c5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 356, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.764340", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6c8", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ff770", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.764481", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x6ca", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xbb4", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.764700", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6cc", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.764796", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6cd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0xc17e7f0", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.765040", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDICheckMonitorPowerState", "EventUID": "0x6d0", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 433, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.765121", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x6d1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0xc17e848", "DesiredAccess": "0x400", "ObjectAttributes": "0xc17e7f0", "ClientId": "0xc17e7e0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.766265", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDICheckVidPnExclusiveOwnership", "EventUID": "0x6d4", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 439, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.766354", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x6d5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0xc17e860"} +{"Plugin": "syscall", "TimeStamp": "1716999134.766458", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x6d7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0xc17e860"} +{"Plugin": "syscall", "TimeStamp": "1716999134.766685", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6d9", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.766938", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x6dc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2550", "TokenInformationClass": "0x1", "TokenInformation": "0xc17e900", "TokenInformationLength": "0xa0", "ReturnLength": "0xc17e880"} +{"Plugin": "syscall", "TimeStamp": "1716999134.767027", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6dd", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ff770", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.767261", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x6e0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0xc17e7d8", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.767406", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6e1", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ff6f0", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.767667", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x6e4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2550"} +{"Plugin": "syscall", "TimeStamp": "1716999134.767742", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6e5", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ff770", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.767990", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x6e8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x268c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.768075", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6e9", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ff5d0", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.768316", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x6ec", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xbb4", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.768535", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x6ee", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 49, "NArgs": 2, "PerformanceCounter": "0x86900ff8c0", "PerformanceFrequency": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.768620", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtTraceControl", "EventUID": "0x6ef", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 452, "NArgs": 6, "FunctionCode": "0xc", "InBuffer": "0x0", "InBufferLen": "0x0", "OutBuffer": "0xc17e610", "OutBufferLen": "0x10", "ReturnLength": "0xc17e518"} +{"Plugin": "syscall", "TimeStamp": "1716999134.768839", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x6f2", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 49, "NArgs": 2, "PerformanceCounter": "0x86900ff960", "PerformanceFrequency": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.769088", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationFile", "EventUID": "0x6f5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 17, "NArgs": 5, "FileHandle": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db", "IoStatusBlock": "0xc17e4d0", "FileInformation": "0xc17e4e0", "Length": "0x18", "FileInformationClass": "0x5"} +{"Plugin": "syscall", "TimeStamp": "1716999134.769232", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6f6", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.769462", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtTraceControl", "EventUID": "0x6f9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 452, "NArgs": 6, "FunctionCode": "0xc", "InBuffer": "0x0", "InBufferLen": "0x0", "OutBuffer": "0xc17e870", "OutBufferLen": "0x10", "ReturnLength": "0xc17e798"} +{"Plugin": "syscall", "TimeStamp": "1716999134.769551", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6fa", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.769836", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x6fe", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "NArgs": 1, "EventHandle": "0xba4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.769917", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x6ff", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xbb4", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.770170", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x702", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "NArgs": 1, "EventHandle": "0xcd0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.770252", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x703", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2664"} +{"Plugin": "syscall", "TimeStamp": "1716999134.770493", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x706", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "NArgs": 1, "EventHandle": "0xcd8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.770575", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x707", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0xc17e800", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.770821", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDISubmitCommand", "EventUID": "0x70a", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 597, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.770905", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x70b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0xc17e858", "DesiredAccess": "0x400", "ObjectAttributes": "0xc17e800", "ClientId": "0xc17e7f0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.771226", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtReleaseWorkerFactoryWorker", "EventUID": "0x70d", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 368, "NArgs": 1, "WorkerFactoryHandle": "0xbac"} +{"Plugin": "syscall", "TimeStamp": "1716999134.771667", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x710", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0xcd0", "Alertable": "0x0", "Timeout": "0x86907ff458"} +{"Plugin": "syscall", "TimeStamp": "1716999134.771741", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDISignalSynchronizationObjectFromGpu2", "EventUID": "0x711", "Module": "win32k", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 596, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.772060", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtCreateEvent", "EventUID": "0x714", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 72, "NArgs": 5, "EventHandle": "0x86900fe0a0", "DesiredAccess": "0x1f0003", "ObjectAttributes": "0x0", "EventType": "0x0", "InitialState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.772246", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtReleaseWorkerFactoryWorker", "EventUID": "0x716", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 368, "NArgs": 1, "WorkerFactoryHandle": "0xbac"} +{"Plugin": "syscall", "TimeStamp": "1716999134.772410", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtCreateEvent", "EventUID": "0x718", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 72, "NArgs": 5, "EventHandle": "0x86900fe070", "DesiredAccess": "0x1f0003", "ObjectAttributes": "0x0", "EventType": "0x0", "InitialState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.772770", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIPresent", "EventUID": "0x71a", "Module": "win32k", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 543, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.773047", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x71c", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0xba4", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.773860", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x71e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0xc17e870"} +{"Plugin": "syscall", "TimeStamp": "1716999134.773938", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x71f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0xc17e870"} +{"Plugin": "syscall", "TimeStamp": "1716999134.774227", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x722", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xbc4", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.774374", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x724", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x268c", "TokenInformationClass": "0x1", "TokenInformation": "0xc17e910", "TokenInformationLength": "0xa0", "ReturnLength": "0xc17e890"} +{"Plugin": "syscall", "TimeStamp": "1716999134.774548", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x726", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xcd8", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.774939", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x728", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "NArgs": 2, "EventHandle": "0x10f4", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.774975", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x729", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0xc17e7e8", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.775306", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x72c", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0x10ec", "Alertable": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.775444", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x72d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x268c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.775587", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x72f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.775712", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x731", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2664"} +{"Plugin": "syscall", "TimeStamp": "1716999134.775929", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x733", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.775998", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x734", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2550"} +{"Plugin": "syscall", "TimeStamp": "1716999134.776231", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x737", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.776314", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x738", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0x924", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.776532", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x73b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.776609", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x73c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xbb4", "PreviousCount": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.776886", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x73f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.776966", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x740", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x364", "Alertable": "0x0", "Timeout": "0xc17e638"} +{"Plugin": "syscall", "TimeStamp": "1716999134.777223", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x743", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.777300", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x744", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0x878", "PreviousState": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.777511", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x747", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.777654", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x749", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x878"} +{"Plugin": "syscall", "TimeStamp": "1716999134.777866", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x74b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.777962", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserMsgWaitForMultipleObjectsEx", "EventUID": "0x74c", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1158, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.778219", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x74f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.778295", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x750", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd18", "Length": "0x4", "ResultLength": "0x27abd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.778553", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x753", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 19, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.778586", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x754", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abda8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\*", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.778916", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x757", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.778951", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x758", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x87a", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac100", "Length": "0x180", "ResultLength": "0x27ac0ec"} +{"Plugin": "syscall", "TimeStamp": "1716999134.779237", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x75b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.779372", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x75d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x87a", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd30", "Length": "0x4", "ResultLength": "0x27abd68"} +{"Plugin": "syscall", "TimeStamp": "1716999134.779536", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x75f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.779675", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x761", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x87a", "KeyInformationClass": "0x7", "KeyInformation": "0x27abca8", "Length": "0x4", "ResultLength": "0x27abcb8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.779833", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x763", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.779962", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x765", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd38", "DesiredAccess": "0x1", "ObjectAttributes": "\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.780153", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x766", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.780427", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x769", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.780460", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x76a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd48", "DesiredAccess": "0x1", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\*\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.780820", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x76d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.780975", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x76f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac170", "Length": "0x180", "ResultLength": "0x27ac15c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.781126", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x770", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.781430", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x773", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.781465", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x774", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abda0", "Length": "0x4", "ResultLength": "0x27abdd8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.781731", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x777", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2cc", "KeyInformationClass": "0x7", "KeyInformation": "0x16cc78", "Length": "0x4", "ResultLength": "0x16cc88"} +{"Plugin": "syscall", "TimeStamp": "1716999134.781770", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x778", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd18", "Length": "0x4", "ResultLength": "0x27abd28"} +{"Plugin": "syscall", "TimeStamp": "1716999134.782047", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x77b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16cca8", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.782100", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x77c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abda8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\AllFilesystemObjects", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.782434", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x77f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b4", "ValueName": "0x16cfe8", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x16cea0", "Length": "0x90", "ResultLength": "0x16ce54"} +{"Plugin": "syscall", "TimeStamp": "1716999134.782585", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x780", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abdb8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\AllFilesystemObjects", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.782929", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x783", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.782964", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x784", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2552", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac100", "Length": "0x180", "ResultLength": "0x27ac0ec"} +{"Plugin": "syscall", "TimeStamp": "1716999134.783245", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x787", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0x16d018"} +{"Plugin": "syscall", "TimeStamp": "1716999134.783329", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x788", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0x16d018"} +{"Plugin": "syscall", "TimeStamp": "1716999134.783506", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x78a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2552", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd30", "Length": "0x4", "ResultLength": "0x27abd68"} +{"Plugin": "syscall", "TimeStamp": "1716999134.783800", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x78d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f0", "KeyInformationClass": "0x7", "KeyInformation": "0x16cce8", "Length": "0x4", "ResultLength": "0x16ccf8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.783842", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x78e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27abc20", "TokenInformationLength": "0x58", "ReturnLength": "0x27abc18"} +{"Plugin": "syscall", "TimeStamp": "1716999134.784124", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x791", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16cd18", "DesiredAccess": "0x1", "ObjectAttributes": "\\SessionInfo\\2", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.784193", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x792", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd38", "DesiredAccess": "0x1", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\AllFilesystemObjects\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.784494", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x795", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x8b4", "KeyInformationClass": "0x7", "KeyInformation": "0x16cc98", "Length": "0x4", "ResultLength": "0x16cca8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.784663", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x797", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2552", "KeyInformationClass": "0x7", "KeyInformation": "0x27abca8", "Length": "0x4", "ResultLength": "0x27abcb8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.784824", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x799", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16ccc8", "DesiredAccess": "0x1", "ObjectAttributes": "\\Desktop\\NameSpace\\NameCustomizations", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.784987", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x79a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd48", "DesiredAccess": "0x1", "ObjectAttributes": "\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.785290", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x79d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.785478", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x79f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x264a"} +{"Plugin": "syscall", "TimeStamp": "1716999134.785642", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7a1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2cc", "KeyInformationClass": "0x7", "KeyInformation": "0x16cb48", "Length": "0x4", "ResultLength": "0x16cb58"} +{"Plugin": "syscall", "TimeStamp": "1716999134.785837", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7a3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2696"} +{"Plugin": "syscall", "TimeStamp": "1716999134.785986", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7a5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16cb78", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.786139", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7a7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe6"} +{"Plugin": "syscall", "TimeStamp": "1716999134.786301", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x7a9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b4", "ValueName": "0x16ceb8", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x16cd70", "Length": "0x90", "ResultLength": "0x16cd24"} +{"Plugin": "syscall", "TimeStamp": "1716999134.786449", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7aa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x87a"} +{"Plugin": "syscall", "TimeStamp": "1716999134.786727", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7ad", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.786782", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7ae", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2552"} +{"Plugin": "syscall", "TimeStamp": "1716999134.787115", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7b1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x16cb50", "Length": "0x180", "ResultLength": "0x16cb3c"} +{"Plugin": "syscall", "TimeStamp": "1716999134.787159", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7b2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2570"} +{"Plugin": "syscall", "TimeStamp": "1716999134.787494", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtTraceControl", "EventUID": "0x7b5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 452, "NArgs": 6, "FunctionCode": "0xc", "InBuffer": "0x0", "InBufferLen": "0x0", "OutBuffer": "0x27ae5d0", "OutBufferLen": "0x10", "ReturnLength": "0x27ae468"} +{"Plugin": "syscall", "TimeStamp": "1716999134.787634", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7b7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x16c780", "Length": "0x4", "ResultLength": "0x16c7b8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.787928", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7ba", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x16c6f8", "Length": "0x4", "ResultLength": "0x16c708"} +{"Plugin": "syscall", "TimeStamp": "1716999134.787966", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateSemaphore", "EventUID": "0x7bb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 192, "NArgs": 5, "SemaphoreHandle": "0x27ae3c8", "DesiredAccess": "0x1f0003", "ObjectAttributes": "ThumbnailCache.SimultaneousExtractions.{66526bdc-5216-40c2-b496-d1eb7c2223a4}", "InitialCount": "0xa", "MaximumCount": "0xa"} +{"Plugin": "syscall", "TimeStamp": "1716999134.788340", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7be", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16c788", "DesiredAccess": "0x20019", "ObjectAttributes": "\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.788393", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x7bf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x2570", "Alertable": "0x0", "Timeout": "0x27ae3a8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.788711", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x7c2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x364", "Alertable": "0x0", "Timeout": "0x27ad8d8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.788880", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7c4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16c798", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.789053", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x7c5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x364", "Alertable": "0x0", "Timeout": "0x27acd88"} +{"Plugin": "syscall", "TimeStamp": "1716999134.789560", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x7c8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0x20008", "OpenAsSelf": "0x1", "TokenHandle": "0x27acde0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.789614", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7c9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2552", "KeyInformationClass": "0x3", "KeyInformation": "0x16cbe0", "Length": "0x188", "ResultLength": "0x16cbbc"} +{"Plugin": "syscall", "TimeStamp": "1716999134.789698", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x7ca", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0x20008", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0x27acde0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.790125", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7ce", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2552", "KeyInformationClass": "0x7", "KeyInformation": "0x16c800", "Length": "0x4", "ResultLength": "0x16c838"} +{"Plugin": "syscall", "TimeStamp": "1716999134.790211", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserCallOneParam", "EventUID": "0x7cf", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 2, "NArgs": 0} +{"Plugin": "syscall", "TimeStamp": "1716999134.790412", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x7d2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x16c6f0", "TokenInformationLength": "0x58", "ReturnLength": "0x16c6e8"} +{"Plugin": "syscall", "TimeStamp": "1716999134.790493", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x7d3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x43c", "Flags": "0x800000", "SendMessage": "0xb54b140", "SendMessageAttributes": "0x4b4108", "ReceiveMessage": "0x0", "BufferLength": "0x0", "ReceiveMessageAttributes": "0x0", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.790711", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7d5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16c808", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}", "OpenOptions": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.790935", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x7d7", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 137, "NArgs": 5, "PortHandle": "0x104", "PortInformationClass": "0x0", "PortInformation": "0x435237f548", "Length": "0x10", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.791173", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x7da", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2552", "ValueName": "LocalizedString", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x16ce50", "Length": "0x90", "ResultLength": "0x16ce04"} +{"Plugin": "syscall", "TimeStamp": "1716999134.791272", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x7db", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x104", "Flags": "0x0", "SendMessage": "0x0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x16a346d2c70", "BufferLength": "0x435237f538", "ReceiveMessageAttributes": "0x435237f558", "Timeout": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.791575", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x7de", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0x435237f458", "WorkerFactoryInformationLength": "0x4"} +{"Plugin": "syscall", "TimeStamp": "1716999134.791695", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryAttributesFile", "EventUID": "0x7df", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 61, "NArgs": 2, "ObjectAttributes": "\\??\\C:\\Windows\\system32\\shell32.dll", "FileInformation": "0x16c640"} +{"Plugin": "syscall", "TimeStamp": "1716999134.792067", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcImpersonateClientOfPort", "EventUID": "0x7e2", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 134, "NArgs": 3, "PortHandle": "0x6d0", "PortMessage": "0x16a346d2c70", "Reserved": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.792150", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryVirtualMemory", "EventUID": "0x7e3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 35, "NArgs": 6, "ProcessHandle": "0xffffffffffffffff", "BaseAddress": "0x33c0000", "MemoryInformationClass": "0x3", "MemoryInformation": "0x16c6c8", "MemoryInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.792382", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenThreadToken", "EventUID": "0x7e6", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0x2000000", "OpenAsSelf": "0x1", "TokenHandle": "0x435237f020"} +{"Plugin": "syscall", "TimeStamp": "1716999134.792462", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x7e7", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0x2000000", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0x435237f020"} +{"Plugin": "syscall", "TimeStamp": "1716999134.792536", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryVirtualMemory", "EventUID": "0x7e8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 35, "NArgs": 6, "ProcessHandle": "0xffffffffffffffff", "BaseAddress": "0x33c0000", "MemoryInformationClass": "0x3", "MemoryInformation": "0x16ca20", "MemoryInformationLength": "0x30", "ReturnLength": "0x0"} +{"Plugin": "syscall", "TimeStamp": "1716999134.792887", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7ec", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2552"} +{"Plugin": "syscall", "TimeStamp": "1716999134.792962", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x7ed", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x5", "ThreadInformation": "0x435237ef98", "ThreadInformationLength": "0x8"} +{"Plugin": "sysret", "TimeStamp": "1716999134.580523", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x18", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.580724", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAssociateWaitCompletionPacket", "EventUID": "0x1a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 144, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.581350", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x1e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.581566", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x20", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.581748", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x22", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.582454", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAssociateWaitCompletionPacket", "EventUID": "0x26", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 144, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.582641", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x28", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.583136", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x2b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.583219", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x2c", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 137, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.583248", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x2d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.583557", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x30", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.583587", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserValidateTimerCallback", "EventUID": "0x31", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.583875", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x34", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.583904", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserKillTimer", "EventUID": "0x35", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 27, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.584366", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x38", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.584400", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSetTimer", "EventUID": "0x39", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "Ret": 32422, "Info": "SUCCESS:0:NONE:0x7ea6"} +{"Plugin": "sysret", "TimeStamp": "1716999134.584848", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x3c", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.584965", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x3e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.585179", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x41", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.585252", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x42", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.585377", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x44", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.585572", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x47", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.585672", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x48", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.585744", "PID": 3888, "PPID": 2852, "TID": 1364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x49", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.586093", "PID": 3888, "PPID": 2852, "TID": 1364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetTimerEx", "EventUID": "0x4b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 432, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.586262", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUpdateWnfStateData", "EventUID": "0x4d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 463, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.586838", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x51", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.586929", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x52", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.587428", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x56", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.587576", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x58", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 137, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.587766", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x5b", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.587896", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.587967", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x5e", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.588184", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x61", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.588253", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x62", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.588370", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtDuplicateObject", "EventUID": "0x64", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 60, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.588561", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtDuplicateObject", "EventUID": "0x67", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 60, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.588631", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x68", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.588755", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtClose", "EventUID": "0x6a", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.588955", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x6d", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.589206", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x70", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.589532", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x73", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.589564", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcQueryInformationMessage", "EventUID": "0x74", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 138, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.589893", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x77", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.590049", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x78", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.590397", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.590521", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x7c", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.590772", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtClose", "EventUID": "0x7f", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.590815", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x80", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.590981", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x82", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.591159", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0x85", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 468, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.591310", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x87", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.591338", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x88", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 137, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.591490", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x8a", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.591675", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x8d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.591703", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x8e", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.591854", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x90", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.592032", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x93", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.592060", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x94", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.592225", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x96", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.592547", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x9a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.592884", "PID": 3888, "PPID": 2852, "TID": 7160, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x9d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"} +{"Plugin": "sysret", "TimeStamp": "1716999134.593047", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x9e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.593259", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0xa0", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.593473", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0xa3", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 137, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.593572", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xa4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.593710", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0xa6", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.593894", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0xa9", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.593972", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xaa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.594092", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0xac", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.594329", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtClose", "EventUID": "0xaf", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.594424", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0xb0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.594557", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0xb2", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.594786", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0xb5", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.595021", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0xb7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.595068", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0xb8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.595425", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtDuplicateObject", "EventUID": "0xbb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 60, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.595557", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0xbc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.595731", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0xbe", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.596031", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xc1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.596059", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryObject", "EventUID": "0xc2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 16, "Ret": 3221225476, "Info": "STATUS_INFO_LENGTH_MISMATCH"} +{"Plugin": "sysret", "TimeStamp": "1716999134.607682", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xc5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.607717", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryObject", "EventUID": "0xc6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 16, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.608011", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0xc9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.608039", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryObject", "EventUID": "0xca", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 16, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.608344", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetInformationObject", "EventUID": "0xcd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 92, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.608537", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0xce", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.608838", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenSection", "EventUID": "0xd0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 55, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.609235", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0xd3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.609872", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenFile", "EventUID": "0xd6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 51, "Ret": 3221225530, "Info": "STATUS_OBJECT_PATH_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.609964", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xd7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.610256", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xd9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.610572", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateDIBitmapInternal", "EventUID": "0xdc", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 156, "Ret": 1896155399, "Info": "INFO:1:UNKNOWN:0x907"} +{"Plugin": "sysret", "TimeStamp": "1716999134.610644", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0xdd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.610921", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0xe0", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 8716303, "Info": "SUCCESS:0:(null):0xf"} +{"Plugin": "sysret", "TimeStamp": "1716999134.611093", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0xe1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.611207", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCforBitmap", "EventUID": "0xe3", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 152, "Ret": 67174810, "Info": "SUCCESS:0:UNKNOWN:0x19a"} +{"Plugin": "sysret", "TimeStamp": "1716999134.611534", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSaveDC", "EventUID": "0xe6", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 59, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.611600", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0xe7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.611848", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0xea", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 1896155399, "Info": "INFO:1:UNKNOWN:0x907"} +{"Plugin": "sysret", "TimeStamp": "1716999134.611917", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0xeb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.612168", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCObject", "EventUID": "0xee", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 53, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"} +{"Plugin": "sysret", "TimeStamp": "1716999134.612246", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateEvent", "EventUID": "0xef", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 72, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.612501", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0xf2", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"} +{"Plugin": "sysret", "TimeStamp": "1716999134.612734", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0xf4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.612823", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0xf5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.612980", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSetDIBitsToDeviceInternal", "EventUID": "0xf7", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 41, "Ret": 48, "Info": "SUCCESS:0:NONE:0x30"} +{"Plugin": "sysret", "TimeStamp": "1716999134.613231", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0xfa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.613329", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0xfb", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"} +{"Plugin": "sysret", "TimeStamp": "1716999134.613653", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateFile", "EventUID": "0xfe", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 85, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.613751", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0xff", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 1896155399, "Info": "INFO:1:UNKNOWN:0x907"} +{"Plugin": "sysret", "TimeStamp": "1716999134.613977", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x101", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.614130", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiRestoreDC", "EventUID": "0x103", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 58, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.614342", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x105", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.614459", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x107", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 1896155399, "Info": "INFO:1:UNKNOWN:0x907"} +{"Plugin": "sysret", "TimeStamp": "1716999134.614726", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x10a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.614855", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetDC", "EventUID": "0x10b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 10, "Ret": 671156285, "Info": "SUCCESS:1:UNKNOWN:0x83d"} +{"Plugin": "sysret", "TimeStamp": "1716999134.616430", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReadFile", "EventUID": "0x10e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 6, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.616526", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateDIBitmapInternal", "EventUID": "0x10f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 156, "Ret": 18446744072921352432, "Info": "ERROR:0:UNKNOWN:0x8f0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.616732", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x111", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.616874", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserReleaseDC", "EventUID": "0x113", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1196, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.617161", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x115", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.617271", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x117", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 8716303, "Info": "SUCCESS:0:(null):0xf"} +{"Plugin": "sysret", "TimeStamp": "1716999134.617543", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x11a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.617612", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCforBitmap", "EventUID": "0x11b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 152, "Ret": 67174810, "Info": "SUCCESS:0:UNKNOWN:0x19a"} +{"Plugin": "sysret", "TimeStamp": "1716999134.617858", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x11e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.617942", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSaveDC", "EventUID": "0x11f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 59, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.618140", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x121", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.618255", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x123", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 18446744072921352432, "Info": "ERROR:0:UNKNOWN:0x8f0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.618503", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x126", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.618581", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCObject", "EventUID": "0x127", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 53, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"} +{"Plugin": "sysret", "TimeStamp": "1716999134.618781", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x129", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.618914", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x12b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"} +{"Plugin": "sysret", "TimeStamp": "1716999134.619113", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x12d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.619251", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSetDIBitsToDeviceInternal", "EventUID": "0x12f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 41, "Ret": 96, "Info": "SUCCESS:0:NONE:0x60"} +{"Plugin": "sysret", "TimeStamp": "1716999134.619485", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x132", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.619596", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x133", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"} +{"Plugin": "sysret", "TimeStamp": "1716999134.619846", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x136", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.619925", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x137", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 18446744072921352432, "Info": "ERROR:0:UNKNOWN:0x8f0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.620126", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x139", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.620250", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiRestoreDC", "EventUID": "0x13b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 58, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.620450", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x13d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.620565", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x13f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 18446744072921352432, "Info": "ERROR:0:UNKNOWN:0x8f0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.620786", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x141", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.620908", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateCompatibleDC", "EventUID": "0x143", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 84, "Ret": 302057640, "Info": "SUCCESS:0:UNKNOWN:0x8a8"} +{"Plugin": "sysret", "TimeStamp": "1716999134.621143", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x146", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.621220", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x147", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"} +{"Plugin": "sysret", "TimeStamp": "1716999134.621431", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x149", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.621611", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateBitmap", "EventUID": "0x14b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 107, "Ret": 168101667, "Info": "SUCCESS:0:UNKNOWN:0x723"} +{"Plugin": "sysret", "TimeStamp": "1716999134.621897", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x14e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.621975", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x14f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 8716303, "Info": "SUCCESS:0:(null):0xf"} +{"Plugin": "sysret", "TimeStamp": "1716999134.622194", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x152", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.622270", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x153", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 8716303, "Info": "SUCCESS:0:(null):0xf"} +{"Plugin": "sysret", "TimeStamp": "1716999134.622511", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x156", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.622669", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiBitBlt", "EventUID": "0x157", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 8, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.622912", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x15a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.622988", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x15b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 18446744072921352432, "Info": "ERROR:0:UNKNOWN:0x8f0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.623204", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x15e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.623277", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x15f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 168101667, "Info": "SUCCESS:0:UNKNOWN:0x723"} +{"Plugin": "sysret", "TimeStamp": "1716999134.623495", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x162", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.623632", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x163", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 35, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.623897", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x166", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.623985", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x167", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 35, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.624293", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x16a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.624368", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserCreateEmptyCursorObject", "EventUID": "0x16b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 956, "Ret": 1311641, "Info": "SUCCESS:0:ACPI_ERROR_CODE:0x399"} +{"Plugin": "sysret", "TimeStamp": "1716999134.624698", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x16e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.624730", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSetCursorIconData", "EventUID": "0x16f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 158, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.625090", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x173", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.625532", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUnmapViewOfSectionEx", "EventUID": "0x174", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 461, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.625622", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUnmapViewOfSection", "EventUID": "0x175", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 42, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.625783", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x177", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.625946", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x179", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.626118", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x17b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.626323", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x17d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.626627", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x180", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.626654", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetInformationKey", "EventUID": "0x181", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 409, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.626962", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x184", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.627109", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x185", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.627282", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x187", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.627620", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x18a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.627660", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x18b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.628050", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x18e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.628079", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x18f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.628417", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x192", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.628537", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x193", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.628706", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x195", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.629036", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x198", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.629064", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x199", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.629462", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x19c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.629493", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x19d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.629791", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x1a0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.629930", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1a1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.630297", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1a4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.630409", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1a5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.630574", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1a7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.630850", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1aa", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.630877", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1ab", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.631224", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationFile", "EventUID": "0x1ae", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 17, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.631252", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x1af", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.631573", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationFile", "EventUID": "0x1b2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 17, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.631600", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x1b3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.631867", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1b6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.631894", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x1b7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.632218", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1ba", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.632335", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1bb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.632501", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1bd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.633114", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1c0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.633249", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1c1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.633394", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1c3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.633571", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x1c5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.633722", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1c7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.633903", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x1c9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.634065", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1cb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.634402", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x1ce", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.634430", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1cf", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.634698", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1d2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.634738", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetIconInfo", "EventUID": "0x1d3", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 79, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.634987", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1d6", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"} +{"Plugin": "sysret", "TimeStamp": "1716999134.635016", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1d7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.635282", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1da", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.635309", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetDC", "EventUID": "0x1db", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 10, "Ret": 671156285, "Info": "SUCCESS:1:UNKNOWN:0x83d"} +{"Plugin": "sysret", "TimeStamp": "1716999134.635553", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1de", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.635580", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDIBitsInternal", "EventUID": "0x1df", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 130, "Ret": 48, "Info": "SUCCESS:0:NONE:0x30"} +{"Plugin": "sysret", "TimeStamp": "1716999134.635835", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1e2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.635863", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserReleaseDC", "EventUID": "0x1e3", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1196, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.636117", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1e6", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"} +{"Plugin": "sysret", "TimeStamp": "1716999134.636145", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1e7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.636410", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1ea", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.636437", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x1eb", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 35, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.636710", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1ee", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"} +{"Plugin": "sysret", "TimeStamp": "1716999134.636738", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1ef", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.637002", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1f2", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"} +{"Plugin": "sysret", "TimeStamp": "1716999134.637030", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1f3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.637293", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1f6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.637320", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDIBitsInternal", "EventUID": "0x1f7", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 130, "Ret": 48, "Info": "SUCCESS:0:NONE:0x30"} +{"Plugin": "sysret", "TimeStamp": "1716999134.637659", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1fb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.637735", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAllocateVirtualMemory", "EventUID": "0x1fc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 24, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.637811", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateDIBSection", "EventUID": "0x1fd", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 151, "Ret": 839190122, "Info": "SUCCESS:1:UNKNOWN:0x66a"} +{"Plugin": "sysret", "TimeStamp": "1716999134.637927", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1ff", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.638152", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x202", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "Ret": 8716303, "Info": "SUCCESS:0:(null):0xf"} +{"Plugin": "sysret", "TimeStamp": "1716999134.638225", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x203", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.638452", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCforBitmap", "EventUID": "0x206", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 152, "Ret": 67174810, "Info": "SUCCESS:0:UNKNOWN:0x19a"} +{"Plugin": "sysret", "TimeStamp": "1716999134.638538", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x207", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.638763", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSaveDC", "EventUID": "0x20a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 59, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.638837", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x20b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.639086", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x20e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "Ret": 839190122, "Info": "SUCCESS:1:UNKNOWN:0x66a"} +{"Plugin": "sysret", "TimeStamp": "1716999134.639159", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x20f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.639403", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCObject", "EventUID": "0x212", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 53, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"} +{"Plugin": "sysret", "TimeStamp": "1716999134.639478", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x213", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.639729", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x216", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 29, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"} +{"Plugin": "sysret", "TimeStamp": "1716999134.639795", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x217", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.640040", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSetDIBitsToDeviceInternal", "EventUID": "0x21a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 41, "Ret": 48, "Info": "SUCCESS:0:NONE:0x30"} +{"Plugin": "sysret", "TimeStamp": "1716999134.640105", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x21b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.640369", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x21e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 29, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"} +{"Plugin": "sysret", "TimeStamp": "1716999134.640445", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x21f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.640687", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x222", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "Ret": 839190122, "Info": "SUCCESS:1:UNKNOWN:0x66a"} +{"Plugin": "sysret", "TimeStamp": "1716999134.640764", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x223", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.641000", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiRestoreDC", "EventUID": "0x226", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 58, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.641064", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x227", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.641297", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x22a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "Ret": 839190122, "Info": "SUCCESS:1:UNKNOWN:0x66a"} +{"Plugin": "sysret", "TimeStamp": "1716999134.641371", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x22b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.641621", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x22e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"} +{"Plugin": "sysret", "TimeStamp": "1716999134.641687", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x22f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.641919", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x232", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"} +{"Plugin": "sysret", "TimeStamp": "1716999134.641983", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x233", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.642218", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x236", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"} +{"Plugin": "sysret", "TimeStamp": "1716999134.642282", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x237", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.642513", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x23a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"} +{"Plugin": "sysret", "TimeStamp": "1716999134.642589", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x23b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.642852", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x23e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.642929", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x23f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.643174", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x242", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.643242", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x243", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.643517", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x246", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.644635", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x247", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.645010", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x24b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.645067", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x24c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.645134", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x24d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.645391", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x250", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.645459", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x251", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.645776", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x254", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.645887", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x255", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.646057", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x257", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.646212", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x259", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.646368", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x25b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.646523", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x25d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.646692", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x25f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.646848", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x261", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.646983", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x263", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.647127", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x265", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.647296", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x267", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.647472", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x269", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.647702", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x26b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.647885", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x26d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.648026", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x26f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.648184", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x271", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.648768", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x273", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.649056", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x277", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.649142", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x278", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.649169", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x279", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.649422", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x27c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.649461", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x27d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.649761", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x280", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.649788", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x281", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.650059", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x284", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.650085", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x285", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.650342", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x288", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.650367", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x289", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.650625", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x28c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.650651", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x28d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.650923", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x290", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.650948", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x291", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.651203", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x294", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.651229", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x295", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.651521", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x298", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.651547", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenFile", "EventUID": "0x299", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 51, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.651854", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x29c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.651881", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryVolumeInformationFile", "EventUID": "0x29d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 73, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.652134", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2a0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.652159", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2a1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.652402", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2a4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.652428", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2a5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.652698", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x2a8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.652724", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2a9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.652997", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2ac", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.653262", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2ad", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.653601", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2b1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.653671", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x2b2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.653776", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x2b3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.653937", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2b5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.654086", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x2b7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.654250", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2b9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.654425", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x2bb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.654563", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2bd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.654728", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2bf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.654878", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2c1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.655022", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2c3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.655166", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2c5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.655292", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2c7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.655451", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2c9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.655598", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2cb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.655755", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2cd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.655899", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2cf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.656042", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2d1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.656191", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x2d3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.656334", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2d5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.656494", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.656947", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2d9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.657199", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x2dc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.657321", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x2de", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.657348", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2df", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.657630", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x2e2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.657687", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2e3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.657986", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2e6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.658013", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x2e7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.658269", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2ea", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.658295", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2eb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.658566", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2ee", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.658593", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2ef", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.658863", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2f2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.658889", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2f3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.659166", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x2f6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.659198", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2f7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.659460", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2fa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.659486", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2fb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.659772", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2fe", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.659800", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2ff", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.660075", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x302", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.660102", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x303", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.660382", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x306", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.660646", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x307", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.660996", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x30b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.661063", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x30c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.661153", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x30d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.661315", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x30f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.661460", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x311", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.661619", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x313", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.661802", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x315", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.661941", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x317", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.662107", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x319", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.662258", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x31b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.662404", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x31d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.662551", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x31f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.662716", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x321", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.662867", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x323", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.663013", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x325", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.663158", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x327", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.663323", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x329", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.663470", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x32b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.663639", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x32d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.663798", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x32f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.663966", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x331", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.664662", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x333", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.665046", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x337", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.665118", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x338", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.665228", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x339", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.665400", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x33b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.665584", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x33d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.665741", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x33f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.665927", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x341", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.666085", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x343", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.666262", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x345", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.666416", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x347", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.666566", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x349", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.666721", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x34b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.666878", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x34d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.667028", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x34f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.667178", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x351", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.667348", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x353", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.667505", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x355", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.667656", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x357", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.667807", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x359", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.667958", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x35b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.668112", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x35d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.668274", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x35f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.668446", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x361", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.668842", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x363", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.669140", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x367", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.669229", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x368", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.669271", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x369", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.669545", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x36c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.669572", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x36d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.669872", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x370", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.669900", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x371", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.670170", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x374", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.670222", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x375", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.670530", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x378", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.670562", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x379", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.670835", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x37c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.670862", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x37d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.671129", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x380", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.671156", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x381", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.671434", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x384", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.671461", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x385", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.671728", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x388", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.671755", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x389", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.672041", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x38c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.672324", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x38d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.672733", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x391", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.672815", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x392", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.672905", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x393", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.673065", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x395", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.673205", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x397", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.673382", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x399", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.673626", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x39b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.673763", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x39d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.673908", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x39f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.674053", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3a1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.674192", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3a3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.674351", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3a5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.674510", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3a7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.674666", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3a9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.674815", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x3ab", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.674959", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3ad", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.675104", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3af", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.675256", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3b1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.675422", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3b3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.675568", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3b5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.675736", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x3b7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.675887", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3b9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.676052", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3bb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.676610", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x3bf", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.676760", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x3c1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.676826", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x3c2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.676932", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x3c3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.677235", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x3c7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.677317", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x3c8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.677344", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x3c9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.677659", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x3cc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.677690", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x3cd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.677979", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3d0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.678005", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x3d1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.678291", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3d4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.678425", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x3d5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.678597", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3d7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.678767", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3d9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.678908", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3db", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.679082", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x3dd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.679231", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3df", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.679404", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x3e1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.679561", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x3e3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.680088", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3e6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.680473", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x3e7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.680768", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x3eb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.680857", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x3ec", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.680885", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3ed", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.681252", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x3ef", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.681445", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAllocateVirtualMemory", "EventUID": "0x3f1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.681628", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x3f3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.682001", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3f6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.682028", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAllocateVirtualMemory", "EventUID": "0x3f7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.682439", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3f9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.682620", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3fb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.682771", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3fd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.682929", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3ff", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.683078", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x401", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.683216", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x403", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.683377", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x405", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.683536", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x407", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.683699", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x409", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.683881", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x40b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.684034", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x40d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.684205", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x40f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.684374", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x411", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.684966", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x415", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.685034", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x416", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.685128", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x417", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.685294", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x419", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.685449", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x41b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.685601", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x41d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.685774", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x41f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.685927", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x421", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.686073", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x423", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.686360", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x426", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.686391", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x427", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.686672", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x42a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.686698", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x42b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.686972", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x42e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.686999", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x42f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.687293", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x432", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.687324", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x433", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.687616", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x436", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.687732", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x437", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.687927", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x439", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.688319", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x43b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.688614", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x43f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.688697", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x440", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.688738", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x441", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.689015", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x444", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.689042", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x445", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.689346", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x448", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.689459", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x449", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.689622", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x44b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.689804", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x44d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.689947", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x44f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.690151", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x452", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.690231", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x453", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.690516", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x456", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.690580", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x457", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.690847", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetInformationKey", "EventUID": "0x45a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 409, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.690915", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x45b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.691226", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x45e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.691294", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x45f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.691550", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x462", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.691619", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x463", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.691921", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x466", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.692199", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x467", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 49, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.692596", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x46c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.692665", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x46d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.692717", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x46e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.692787", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x46f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.693067", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x472", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.693291", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x475", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.693383", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x476", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.693615", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x479", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.693680", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x47a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.693994", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x47d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.694059", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x47e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.694304", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x481", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.694370", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x482", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.694616", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x485", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.694680", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x486", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.694970", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x489", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.695147", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x48a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.695263", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x48c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.697552", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x48e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.698429", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x491", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.698526", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x492", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.699041", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x494", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.699591", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x496", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.699942", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x498", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.700314", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x49a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.700595", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x49c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.700880", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x49e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.701094", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x4a0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.701468", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x4a2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.701707", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x4a4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.702026", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4a6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.702688", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x4a9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.702846", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x4aa", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.703160", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x4ac", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.703519", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x4ae", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.703820", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4b0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.704176", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4b2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.704496", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x4b4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.706124", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x4b6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.706500", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4b8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.706786", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x4ba", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.707235", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4bc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.708098", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x4bf", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.708191", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x4c0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.708507", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x4c2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.708996", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x4c4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.709316", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4c6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.709703", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4c8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.710001", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4ca", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.710316", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x4cc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.710735", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x4ce", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.711614", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCDword", "EventUID": "0x4cf", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 63, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.712109", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetRandomRgn", "EventUID": "0x4d1", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 43, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.712607", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiIntersectClipRect", "EventUID": "0x4d3", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 3, "Info": "STATUS_WAIT_3"} +{"Plugin": "sysret", "TimeStamp": "1716999134.713052", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetRandomRgn", "EventUID": "0x4d5", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 43, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.714070", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiBitBlt", "EventUID": "0x4d7", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 8, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.714435", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetRandomRgn", "EventUID": "0x4d9", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 43, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.714755", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiIntersectClipRect", "EventUID": "0x4db", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 3, "Info": "STATUS_WAIT_3"} +{"Plugin": "sysret", "TimeStamp": "1716999134.715090", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExcludeClipRect", "EventUID": "0x4dd", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 150, "Ret": 3, "Info": "STATUS_WAIT_3"} +{"Plugin": "sysret", "TimeStamp": "1716999134.715514", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4df", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"} +{"Plugin": "sysret", "TimeStamp": "1716999134.715909", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e1", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"} +{"Plugin": "sysret", "TimeStamp": "1716999134.717380", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e3", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.717852", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e5", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"} +{"Plugin": "sysret", "TimeStamp": "1716999134.718086", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e7", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"} +{"Plugin": "sysret", "TimeStamp": "1716999134.718427", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtFindAtom", "EventUID": "0x4ea", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 20, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.718665", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4ec", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 65537, "Info": "DBG_EXCEPTION_HANDLED"} +{"Plugin": "sysret", "TimeStamp": "1716999134.719260", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserKillTimer", "EventUID": "0x4ee", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 27, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.719593", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetAppClipBox", "EventUID": "0x4f0", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 67, "Ret": 2, "Info": "STATUS_WAIT_2"} +{"Plugin": "sysret", "TimeStamp": "1716999134.720254", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateCompatibleDC", "EventUID": "0x4f2", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 84, "Ret": 604047199, "Info": "SUCCESS:1:UNKNOWN:0x75f"} +{"Plugin": "sysret", "TimeStamp": "1716999134.720558", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x4f4", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 8716303, "Info": "SUCCESS:0:(null):0xf"} +{"Plugin": "sysret", "TimeStamp": "1716999134.721188", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiBitBlt", "EventUID": "0x4f6", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 8, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.721814", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x4f9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.722154", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x4fa", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 18446744072485144931, "Info": "WARNING:1:UNKNOWN:0x963"} +{"Plugin": "sysret", "TimeStamp": "1716999134.722440", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x4fd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.722465", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x4fe", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 35, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.722744", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x501", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.722770", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x502", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.723203", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x505", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.723230", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x506", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.723670", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x509", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.723697", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x50a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.724003", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x50d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.724114", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x50e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.724458", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x511", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.724573", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x512", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.724916", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x515", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.724946", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x516", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.725227", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x519", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.725256", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x51a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.725758", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x51d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.725784", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x51e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.726056", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x521", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.726081", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x522", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.726397", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x525", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.726618", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x526", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.726919", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x529", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.726945", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x52a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.727242", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x52d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.727269", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x52e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.727696", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x532", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.727845", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQuerySystemInformation", "EventUID": "0x534", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 54, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.728011", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x536", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.728521", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x53b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.728703", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x53d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.728911", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x540", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.729091", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x542", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.729159", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x543", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.729290", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x545", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.729533", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x548", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.729622", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x549", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225507, "Info": "STATUS_BUFFER_TOO_SMALL"} +{"Plugin": "sysret", "TimeStamp": "1716999134.729883", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x54c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.729944", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x54d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.730245", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x550", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.730310", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x551", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.730436", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x553", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.730704", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x556", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.730761", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x557", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225507, "Info": "STATUS_BUFFER_TOO_SMALL"} +{"Plugin": "sysret", "TimeStamp": "1716999134.731023", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x55a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.731068", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x55b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.731334", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x55e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.731397", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x55f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.731875", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x562", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.731948", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x563", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.732110", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x565", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.732370", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x568", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.732454", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x569", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.732784", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateKey", "EventUID": "0x56c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.732864", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x56d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.733111", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x570", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.733309", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x572", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.733392", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x573", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.733690", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x576", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.733760", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x577", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.734017", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x57a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.734231", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQuerySystemInformation", "EventUID": "0x57b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 54, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.734295", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x57c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.734701", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x580", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.735035", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x584", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.735062", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x585", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.735244", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x587", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.735483", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x58a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.735648", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x58c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.735674", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x58d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.735956", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x590", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.736001", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x591", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225507, "Info": "STATUS_BUFFER_TOO_SMALL"} +{"Plugin": "sysret", "TimeStamp": "1716999134.736352", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x594", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.736507", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x596", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.736702", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x597", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.736918", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x59a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.737083", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x59c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.737221", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x59d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225507, "Info": "STATUS_BUFFER_TOO_SMALL"} +{"Plugin": "sysret", "TimeStamp": "1716999134.737403", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5a0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.737598", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5a1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.737768", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x5a4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.737899", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5a5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.738301", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5a8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.738332", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5a9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.738519", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x5ab", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.738784", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5ae", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.738926", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5af", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.739183", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateKey", "EventUID": "0x5b2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.739339", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5b4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.739534", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5b5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.739840", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5b8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.739872", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5b9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.740178", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5bc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.740211", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5bd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.740512", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5c0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.740546", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5c1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.740886", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQuerySystemInformation", "EventUID": "0x5c2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 54, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.741229", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSystemParametersInfo", "EventUID": "0x5c5", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 66, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.741293", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5c6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.741613", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSetTimer", "EventUID": "0x5c9", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "Ret": 2, "Info": "STATUS_WAIT_2"} +{"Plugin": "sysret", "TimeStamp": "1716999134.741703", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5ca", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.742008", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserEndPaint", "EventUID": "0x5cd", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 25, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.742782", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5d0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.742814", "PID": 5740, "PPID": 5640, "TID": 5904, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x5d1", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.743309", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5d6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.743341", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtCancelTimer", "EventUID": "0x5d7", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 97, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.743621", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5da", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"} +{"Plugin": "sysret", "TimeStamp": "1716999134.743648", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x5db", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.743967", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5de", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.744111", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5df", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.744270", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5e1", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"} +{"Plugin": "sysret", "TimeStamp": "1716999134.744425", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5e3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.744576", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5e5", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"} +{"Plugin": "sysret", "TimeStamp": "1716999134.744887", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5e8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.744915", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDISetSyncRefreshCountWaitTarget", "EventUID": "0x5e9", "Module": "win32k", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 586, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.745484", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5ed", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.745809", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5f1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.745920", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x5f3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 419, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.746094", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x5f6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.746154", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x5f7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.746180", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x5f8", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.746465", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x5fb", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "Ret": 65886, "Info": "SUCCESS:0:DEBUGGER:0x15e"} +{"Plugin": "sysret", "TimeStamp": "1716999134.746557", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5fc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.746775", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x5fe", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "Ret": 65886, "Info": "SUCCESS:0:DEBUGGER:0x15e"} +{"Plugin": "sysret", "TimeStamp": "1716999134.746914", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x600", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.747058", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x602", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.747348", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x605", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.747375", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x606", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.747678", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x609", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.747793", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x60a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.748021", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x60d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.748523", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x612", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 419, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.748804", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0x614", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 468, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.748869", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x615", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.748957", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x616", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.749141", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x618", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 137, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.749287", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x61a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "Ret": 65886, "Info": "SUCCESS:0:DEBUGGER:0x15e"} +{"Plugin": "sysret", "TimeStamp": "1716999134.749446", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x61c", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.749611", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x61e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "Ret": 65886, "Info": "SUCCESS:0:DEBUGGER:0x15e"} +{"Plugin": "sysret", "TimeStamp": "1716999134.749803", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x620", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.749975", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x622", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.750125", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x624", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.750312", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x626", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.750486", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x628", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.750645", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x62a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.750821", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x62c", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.750982", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x62e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.751152", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x630", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.751362", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x632", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.751539", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x634", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.751716", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x636", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"} +{"Plugin": "sysret", "TimeStamp": "1716999134.751863", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x638", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.752035", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x63a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.752174", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x63c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.752333", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x63e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.752487", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCancelWaitCompletionPacket", "EventUID": "0x640", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 149, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.752657", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x642", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.752797", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x644", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.752952", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x646", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.753104", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x648", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.753252", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x64a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.753408", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x64c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.753626", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x64e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.753764", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCancelWaitCompletionPacket", "EventUID": "0x650", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 149, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.753913", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x652", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.754041", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x654", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.754215", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x656", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 19, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.754351", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x658", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.754511", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x65a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.754711", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x65c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.754884", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x65e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"} +{"Plugin": "sysret", "TimeStamp": "1716999134.755026", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCancelWaitCompletionPacket", "EventUID": "0x660", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 149, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.755179", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x662", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.755334", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x664", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.755495", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x666", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.755656", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x668", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.755811", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x66a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.755957", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x66c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.756124", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x66e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.756323", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x670", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.756507", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x672", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.756691", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x674", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.756927", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x676", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.757102", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x678", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.757256", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x67a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.757468", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x67c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.757655", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x67e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 19, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.758167", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x680", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.758320", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForMultipleObjects", "EventUID": "0x681", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 91, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.758621", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x684", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.758648", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x685", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.758945", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x688", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.758973", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x689", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.759295", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x68c", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 49, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.759412", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x68d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.759574", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetTimerEx", "EventUID": "0x68f", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 432, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.759845", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryWnfStateData", "EventUID": "0x693", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 356, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.759923", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x694", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.759990", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionBeginFrame", "EventUID": "0x695", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 286, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.760321", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x699", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.760413", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x69a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.760442", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionGetConnectionBatch", "EventUID": "0x69b", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 305, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.760803", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x69f", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 369, "Ret": 258, "Info": "STATUS_TIMEOUT"} +{"Plugin": "sysret", "TimeStamp": "1716999134.760874", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6a0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.760988", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6a1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.761154", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForMultipleObjects", "EventUID": "0x6a3", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 91, "Ret": 258, "Info": "STATUS_TIMEOUT"} +{"Plugin": "sysret", "TimeStamp": "1716999134.761470", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6a7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.761521", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x6a8", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 369, "Ret": 258, "Info": "STATUS_TIMEOUT"} +{"Plugin": "sysret", "TimeStamp": "1716999134.761585", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6a9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.761857", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6ac", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.761925", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6ad", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.762191", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionGetFrameLegacyTokens", "EventUID": "0x6b0", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 307, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.762382", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6b2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.762479", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6b3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.762600", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiHLSurfGetInformation", "EventUID": "0x6b5", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 733, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.762848", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6b8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.762925", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiGetRegionData", "EventUID": "0x6b9", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 64, "Ret": 48, "Info": "SUCCESS:0:NONE:0x30"} +{"Plugin": "sysret", "TimeStamp": "1716999134.763301", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6bd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.763354", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiGetRegionData", "EventUID": "0x6be", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 64, "Ret": 48, "Info": "SUCCESS:0:NONE:0x30"} +{"Plugin": "sysret", "TimeStamp": "1716999134.763430", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6bf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.763701", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x6c2", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 35, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.763780", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6c3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.764096", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionGetFrameSurfaceUpdates", "EventUID": "0x6c6", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 309, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.764184", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryWnfStateData", "EventUID": "0x6c7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 356, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.764446", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6c9", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.764578", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x6cb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.764835", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6ce", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.764901", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6cf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.765176", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDICheckMonitorPowerState", "EventUID": "0x6d2", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 433, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.765259", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x6d3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.766391", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDICheckVidPnExclusiveOwnership", "EventUID": "0x6d6", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 439, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.766593", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x6d8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.766726", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x6da", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.766810", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6db", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.767065", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x6de", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.767133", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6df", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.767445", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x6e2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.767524", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6e3", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.767795", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x6e6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.767863", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6e7", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.768113", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x6ea", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.768181", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6eb", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.768409", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x6ed", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.768660", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x6f0", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 49, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.768889", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtTraceControl", "EventUID": "0x6f3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 452, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.768966", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x6f4", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 49, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.769268", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationFile", "EventUID": "0x6f7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 17, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.769347", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6f8", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.769636", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6fc", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.769718", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtTraceControl", "EventUID": "0x6fd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 452, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.769966", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x700", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.770038", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x701", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.770286", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x704", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.770370", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x705", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.770615", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x708", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.770697", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x709", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.770963", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDISubmitCommand", "EventUID": "0x70c", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 597, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.771488", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtReleaseWorkerFactoryWorker", "EventUID": "0x70f", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 368, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.771845", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x712", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.771874", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDISignalSynchronizationObjectFromGpu2", "EventUID": "0x713", "Module": "win32k", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 596, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.772174", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtCreateEvent", "EventUID": "0x715", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 72, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.772346", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtReleaseWorkerFactoryWorker", "EventUID": "0x717", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 368, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.772582", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtCreateEvent", "EventUID": "0x719", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 72, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.772888", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIPresent", "EventUID": "0x71b", "Module": "win32k", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 543, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.773195", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x71d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.774057", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x720", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.774146", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x721", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.774318", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x723", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.774484", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x725", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.774699", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x727", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.775082", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x72a", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.775242", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x72b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.775515", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x72e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.775686", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x730", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.775804", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x732", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.776032", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x735", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"} +{"Plugin": "sysret", "TimeStamp": "1716999134.776112", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x736", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.776350", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x739", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.776413", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x73a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.776655", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x73d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.776719", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x73e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.777002", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x741", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.777064", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x742", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"} +{"Plugin": "sysret", "TimeStamp": "1716999134.777334", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x745", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.777396", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x746", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.777620", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x748", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.777743", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x74a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.777996", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x74d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.778106", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x74e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.778334", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x751", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.778395", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x752", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.778707", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x755", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 19, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.778739", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x756", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.779048", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x759", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.779169", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x75a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.779326", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x75c", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"} +{"Plugin": "sysret", "TimeStamp": "1716999134.779468", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x75e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.779628", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x760", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.779770", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x762", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.779917", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x764", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.780238", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x767", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.780267", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x768", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"} +{"Plugin": "sysret", "TimeStamp": "1716999134.780574", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x76b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.780729", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x76c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.780925", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x76e", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.781210", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x771", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.781239", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x772", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.781542", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x775", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.781571", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x776", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"} +{"Plugin": "sysret", "TimeStamp": "1716999134.781846", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x779", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.781874", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x77a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.782224", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x77d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.782343", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x77e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.782706", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x781", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.782736", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x782", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.783038", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x785", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.783171", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x786", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.783452", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x789", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.783597", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x78b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.783625", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x78c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.783918", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x78f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.783946", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x790", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.784284", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x793", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.784423", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x794", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.784606", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x796", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.784759", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x798", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.785082", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x79b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.785219", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x79c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.785385", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x79e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.785570", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7a0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.785751", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7a2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.785920", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7a4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.786094", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7a6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.786236", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7a8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.786523", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x7ab", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.786551", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7ac", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.786872", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7af", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.786902", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7b0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.787242", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7b3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.787402", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7b4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.787716", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7b8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.787759", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtTraceControl", "EventUID": "0x7b9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 452, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.788136", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7bc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.788165", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateSemaphore", "EventUID": "0x7bd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 192, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.788477", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x7c0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.788603", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7c1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.788805", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x7c3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"} +{"Plugin": "sysret", "TimeStamp": "1716999134.789340", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x7c6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"} +{"Plugin": "sysret", "TimeStamp": "1716999134.789371", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7c7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.789843", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x7cb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.789941", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x7cc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"} +{"Plugin": "sysret", "TimeStamp": "1716999134.789969", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7cd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.790245", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7d0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.790319", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserCallOneParam", "EventUID": "0x7d1", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 2, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.790547", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x7d4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.790764", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0x7d6", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 468, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.790978", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7d8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.791043", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x7d9", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 137, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.791366", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x7dc", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.791427", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x7dd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.791775", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x7e0", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.791941", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryAttributesFile", "EventUID": "0x7e1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 61, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.792190", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcImpersonateClientOfPort", "EventUID": "0x7e4", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 134, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.792264", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryVirtualMemory", "EventUID": "0x7e5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 35, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.792613", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryVirtualMemory", "EventUID": "0x7e9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 35, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.792655", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x7ea", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 47, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.792741", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenThreadToken", "EventUID": "0x7eb", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 36, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.793001", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7ee", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.793066", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x7ef", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.793360", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x7f2", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 19, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.793532", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtQueryInformationToken", "EventUID": "0x7f4", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.793687", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x7f6", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 1, "Info": "STATUS_WAIT_1"} +{"Plugin": "sysret", "TimeStamp": "1716999134.794055", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7fa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.794125", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtQueryInformationToken", "EventUID": "0x7fb", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.794531", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7ff", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.794667", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtQueryInformationToken", "EventUID": "0x800", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.794925", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x803", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.795149", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtQueryInformationToken", "EventUID": "0x806", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "sysret", "TimeStamp": "1716999134.795356", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x808", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"} +{"Plugin": "sysret", "TimeStamp": "1716999134.795558", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtQueryInformationToken", "EventUID": "0x80b", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"} +{"Plugin": "procmon", "TimeStamp": "1716999134.329543", "PID": 4, "PPID": 0, "RunningProcess": "System"} +{"Plugin": "procmon", "TimeStamp": "1716999134.329625", "PID": 92, "PPID": 4, "RunningProcess": "Registry"} +{"Plugin": "procmon", "TimeStamp": "1716999134.329695", "PID": 328, "PPID": 4, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\smss.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.329761", "PID": 420, "PPID": 408, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\csrss.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.329829", "PID": 516, "PPID": 408, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\wininit.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.329897", "PID": 636, "PPID": 516, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331153", "PID": 644, "PPID": 516, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\lsass.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331220", "PID": 772, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331285", "PID": 800, "PPID": 516, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\fontdrvhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331348", "PID": 888, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331371", "PID": 952, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\sppsvc.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331434", "PID": 288, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331497", "PID": 444, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331560", "PID": 792, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331583", "PID": 1104, "PPID": 1084, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\oobe\\msoobe.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331649", "PID": 1128, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331713", "PID": 1176, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331777", "PID": 1256, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331839", "PID": 1304, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331901", "PID": 1312, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331970", "PID": 1552, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.331992", "PID": 1816, "PPID": 4, "RunningProcess": "MemCompression"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332054", "PID": 1912, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332117", "PID": 1920, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332180", "PID": 2016, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\spoolsv.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332242", "PID": 1144, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332304", "PID": 2120, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332327", "PID": 2196, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Program Files\\Windows Defender\\MsMpEng.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332440", "PID": 2776, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332504", "PID": 2820, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332568", "PID": 2892, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\SearchIndexer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332632", "PID": 2964, "PPID": 288, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\taskhostw.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332695", "PID": 3040, "PPID": 288, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\CompatTelRunner.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332758", "PID": 656, "PPID": 3040, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332833", "PID": 1948, "PPID": 288, "RunningProcess": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332896", "PID": 3880, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\CloudExperienceHostBroker.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.332959", "PID": 3604, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\wbem\\WmiPrvSE.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333023", "PID": 4688, "PPID": 1176, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\audiodg.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333087", "PID": 1468, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333149", "PID": 5008, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333212", "PID": 5028, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333277", "PID": 3148, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\SgrmBroker.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333340", "PID": 1944, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333403", "PID": 4832, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333467", "PID": 5592, "PPID": 5576, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\csrss.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333545", "PID": 5640, "PPID": 5576, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\winlogon.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333609", "PID": 5716, "PPID": 5640, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\fontdrvhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333672", "PID": 5740, "PPID": 5640, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333735", "PID": 6076, "PPID": 288, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\sihost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333802", "PID": 6084, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333865", "PID": 4544, "PPID": 1128, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\ctfmon.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333887", "PID": 2852, "PPID": 5640, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333910", "PID": 3888, "PPID": 2852, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.333996", "PID": 5228, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.334081", "PID": 5068, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.334141", "PID": 4240, "PPID": 4292, "RunningProcess": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.334228", "PID": 984, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.334314", "PID": 5132, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.334400", "PID": 4332, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\RuntimeBroker.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.334486", "PID": 3808, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.335806", "PID": 5596, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\RuntimeBroker.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.335892", "PID": 7128, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.335976", "PID": 6172, "PPID": 288, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\taskhostw.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.336065", "PID": 2284, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.336150", "PID": 2168, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\RuntimeBroker.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.336234", "PID": 972, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\RuntimeBroker.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.336320", "PID": 664, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\RuntimeBroker.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.336408", "PID": 6872, "PPID": 3888, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\SecurityHealthSystray.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.336498", "PID": 6904, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\SecurityHealthService.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.336583", "PID": 5284, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TextInputHost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.336668", "PID": 4144, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.336755", "PID": 2716, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\ApplicationFrameHost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.336801", "PID": 3532, "PPID": 6076, "RunningProcess": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.336846", "PID": 3732, "PPID": 3532, "RunningProcess": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.336937", "PID": 3548, "PPID": 1324, "RunningProcess": "\\Device\\HarddiskVolume2\\Users\\litter\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.337023", "PID": 1120, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.337111", "PID": 4284, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.337198", "PID": 4852, "PPID": 3888, "RunningProcess": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.337283", "PID": 3564, "PPID": 4852, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.643517", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x246", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e700", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.648184", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x271", "ProcessHandle": "0x2648", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e6e0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.652997", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2ac", "ProcessHandle": "0x2694", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.656494", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d7", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.660382", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x306", "ProcessHandle": "0x2648", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.663966", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x331", "ProcessHandle": "0x2694", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.668446", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x361", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.672041", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x38c", "ProcessHandle": "0x2648", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.676052", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3bb", "ProcessHandle": "0x2694", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.680088", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3e6", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.684374", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x411", "ProcessHandle": "0x2648", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.687927", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x439", "ProcessHandle": "0x2694", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.691921", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x466", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.697552", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x48e", "ProcessHandle": "0x8b0", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.702026", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4a6", "ProcessHandle": "0x14a8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.707235", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4bc", "ProcessHandle": "0x2638", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.765259", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x6d3", "ProcessHandle": "0x268c", "DesiredAccess": "0x400", "ObjectAttributes": "0xc17e7f0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.773195", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x71d", "ProcessHandle": "0x2664", "DesiredAccess": "0x400", "ObjectAttributes": "0xc17e800", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.827617", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x965", "ProcessHandle": "0x2550", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.831578", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x98d", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.835590", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x9b7", "ProcessHandle": "0x878", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.858885", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x9de", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.863144", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xa0a", "ProcessHandle": "0x8b4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.866972", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xa32", "ProcessHandle": "0x878", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.871153", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xa5c", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.875098", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xa85", "ProcessHandle": "0x8b4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.879363", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xaaf", "ProcessHandle": "0x878", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.883318", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xad4", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.887277", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xb00", "ProcessHandle": "0x8b4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.890965", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xb26", "ProcessHandle": "0x878", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.895894", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xb56", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e6b0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.900552", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xb7d", "ProcessHandle": "0x8b4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e6b0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.908549", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xbcb", "ProcessHandle": "0x878", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e7f0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.916926", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xc21", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.921279", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xc4c", "ProcessHandle": "0x2694", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e8d0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.926052", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xc81", "ProcessHandle": "0x2550", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e6e0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999134.955541", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xcef", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x75eac0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.171900", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x1651", "ProcessHandle": "0x13a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e9a0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.179480", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x168c", "ProcessHandle": "0x13f0", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e9b0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.211431", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x184b", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e9a0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.215829", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x1885", "ProcessHandle": "0x2648", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e9b0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.260862", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x1ae5", "ProcessHandle": "0x6dc", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e9a0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.265165", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x1b1c", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e9b0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.272108", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b77", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.272892", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b78", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.273032", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b7a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.273153", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b7c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.273270", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b7d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.273607", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b80", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.273736", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b82", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.273833", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b83", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.273990", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b85", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.274096", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b86", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.274225", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b88", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.274321", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b89", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.274467", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b8b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.274585", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b8c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.274841", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b8e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.275079", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b8f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.275350", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b91", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.276199", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b92", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.276446", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b94", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.276684", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b96", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.277086", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b97", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.277605", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b98", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.277991", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b9a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.281929", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b9c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.282155", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b9d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.282415", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b9e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.282652", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.283060", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.283369", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.283719", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.284007", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.284302", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.286033", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.286294", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1baa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.289195", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1bbc", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.501760", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x26dd", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd200", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.503888", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x26fb", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd200", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.506128", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2716", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.508186", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2736", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.510215", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2755", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.512187", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2775", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.514178", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2795", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.516269", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x27b4", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.518345", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x27d3", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.520330", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x27f1", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.522428", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2812", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.534480", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x28dc", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.536446", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x28fc", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.538373", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x291b", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.542727", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2963", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.544634", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x297f", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.546615", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x299f", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cda50", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.550190", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x29da", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98ce100", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.554347", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2a1c", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98ce110", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.558976", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2a65", "ProcessHandle": "0x2274", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.561567", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2a91", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.564144", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2abf", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.566800", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2aeb", "ProcessHandle": "0x2274", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.569579", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2b1b", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.572825", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2b4d", "ProcessHandle": "0x27e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.576663", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2b90", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.579251", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2bbb", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.582030", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2bea", "ProcessHandle": "0x27e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.584594", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2c16", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.590070", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2c65", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.592605", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2c91", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.595861", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2cbb", "ProcessHandle": "0x2274", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.598800", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2ce6", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.601526", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d11", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.604141", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d3c", "ProcessHandle": "0x2274", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.606902", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d6b", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.609430", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d94", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.612208", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2dc3", "ProcessHandle": "0x2274", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.614899", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2dee", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.617616", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2e1c", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.620261", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2e48", "ProcessHandle": "0x2274", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.623950", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2e79", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.628739", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2eb7", "ProcessHandle": "0x19c4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.631588", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2ee5", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.634330", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2f11", "ProcessHandle": "0x27e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.637492", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2f46", "ProcessHandle": "0x19c4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdcd0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.640152", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2f72", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdcd0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.675513", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x306a", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdcd0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.679584", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3095", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdcd0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.689074", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x30e7", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cddd0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.693341", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3111", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdde0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.739552", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3338", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.740569", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x333c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.741259", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3343", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.741738", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3347", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.742553", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x334f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.742989", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3353", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.743658", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x335b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.744071", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x335f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.744765", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3367", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.745151", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x336b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.745808", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3373", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.746250", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3377", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.747127", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3380", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.747548", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3384", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.748188", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x338b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.748608", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x338f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.749306", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3397", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.749753", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x339b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.750476", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x33a3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.750896", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x33a7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.760245", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x341a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.762590", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3431", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.763124", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3435", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.763671", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x343b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.764065", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x343f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.764524", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3443", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.764952", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3447", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.769350", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x344a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.769686", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x344f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.779983", "PID": 772, "PPID": 636, "TID": 1544, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAdjustPrivilegesToken", "EventUID": "0x34c8", "ProcessHandle": 2147494836, "NewState": [{"SE_ASSIGNPRIMARYTOKEN_PRIVILEGE": "SE_PRIVILEGE_ENABLED"}]} +{"Plugin": "procmon", "TimeStamp": "1716999135.788041", "PID": 772, "PPID": 636, "TID": 1544, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtCreateUserProcess", "EventUID": "0x3539", "Status": "0x0", "NewProcessHandle": "0x708", "NewPid": 5388, "NewThreadHandle": "0x1170", "NewTid": 1452, "CommandLine": "C:\\\\Windows\\\\system32\\\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}", "ImagePathName": "C:\\Windows\\system32\\DllHost.exe", "DllPath": "", "CWD": "C:\\Windows\\system32\\"} +{"Plugin": "procmon", "TimeStamp": "1716999135.795251", "PID": 420, "PPID": 408, "TID": 1320, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\csrss.exe", "Method": "NtOpenProcess", "EventUID": "0x359a", "ProcessHandle": "0x4c8", "DesiredAccess": "0x1fffff", "ObjectAttributes": "0x1fc7a3f0b8", "ClientID": 5388, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999135.797656", "PID": 420, "PPID": 408, "TID": 1320, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\csrss.exe", "Method": "NtOpenThread", "EventUID": "0x35aa", "ThreadHandle": "0x668", "DesiredAccess": "0x1fffff", "ObjectAttributes": "0x1fc7a3f0b8", "ClientID": 5388, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "UniqueThread": 1452} +{"Plugin": "procmon", "TimeStamp": "1716999135.876474", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39c4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.877008", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39ca", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.877364", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39ce", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.877756", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39d1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.878109", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39d5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.878522", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39d9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.878816", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39dd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.882878", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a11", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.883373", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a16", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.883830", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a1b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.884116", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a1e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.884483", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a22", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.884761", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a25", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.885044", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a29", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.885268", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a2c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.886967", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a42", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.887172", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a44", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.887313", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a46", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.887470", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a48", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.887612", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a4a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.887802", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a4c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.887943", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a4e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.888091", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a4f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.888312", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a51", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.888611", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a53", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.889350", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a59", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.889616", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a5d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.889917", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a61", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.890188", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a65", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.890524", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a69", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.890837", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a6d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.893109", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a88", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.893552", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a8c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.894193", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a92", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.894559", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a96", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.894916", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a9a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.895275", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a9e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.895577", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3aa2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.895903", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3aa6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.897975", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3abd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.898617", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ac1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.899091", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ac6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.899469", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ac7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.899634", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ac8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.905465", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3acb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.906046", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ace", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_WRITECOPY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.906207", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3acf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.906612", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ad3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.906984", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ad7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.907694", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3adf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.909112", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3af2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.911062", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b09", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.911215", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b0b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.911409", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b0d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.911561", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b0f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.911707", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b11", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.911863", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b13", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.912030", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b15", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.912200", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b17", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.912351", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b19", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.912493", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b1b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.912760", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b1d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.913033", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b1f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.913371", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b21", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.913716", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b23", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.914148", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b24", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.926704", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bcd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.926982", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bd1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.927228", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bd5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.927798", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bdb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.928056", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bdf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.928343", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3be3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.929568", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bf4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.930259", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bfa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.930597", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bfe", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.930954", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c02", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.931369", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c06", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999135.931688", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c0b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.935286", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c35", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.935449", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c37", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.935611", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c39", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.935784", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c3b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.935931", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c3c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.936093", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c3e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.936261", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c40", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.936415", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c42", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.936561", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c44", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.936725", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c46", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.936862", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c48", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.937007", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c4a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.937152", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c4c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.937329", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c4e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.937590", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c50", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.937906", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c52", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.938105", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c54", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.938308", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c56", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.939132", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c58", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.939319", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c5a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.939532", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c5c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.939789", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c5e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.940074", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c60", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.940293", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c62", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.943437", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c64", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.943622", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c66", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.943844", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c68", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.944034", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c6a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.944263", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c6c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.944483", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c6e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.944713", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c70", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.945030", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c72", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.945249", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c74", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.959279", "PID": 3564, "PPID": 4852, "TID": 5364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3d3f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.969911", "PID": 3564, "PPID": 4852, "TID": 5364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3dd8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.976309", "PID": 3564, "PPID": 4852, "TID": 5364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3e33", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999135.985145", "PID": 3564, "PPID": 4852, "TID": 5364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3eb4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.058353", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4273", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974d3a0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.061241", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x428b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.062302", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x428f", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974d3a0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.064922", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x42a7", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.067567", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x42c7", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.070083", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x42e7", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.072871", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4304", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.075179", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4324", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.077448", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4344", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.079751", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4364", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.082040", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4384", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.084267", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x43a4", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.086552", "PID": 3888, "PPID": 2852, "TID": 3108, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x43c4", "ProcessHandle": "0x2d4", "DesiredAccess": "0x410", "ObjectAttributes": "0x2ceef20", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.086860", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x43c5", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.088941", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x43e3", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.091167", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4403", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.093517", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4423", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.095686", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4443", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.098028", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4463", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974dbf0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.102667", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x44a3", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e2a0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.107590", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x44e5", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e2b0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.112541", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x452d", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.115873", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4559", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.119303", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4589", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.122342", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x45b5", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.125623", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x45e2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.126010", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x45e3", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.129030", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4601", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.133053", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4633", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.136132", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x465e", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.139816", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x468c", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.143187", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x46b7", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.145140", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46d0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.145450", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46d2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.145755", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46d4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.147605", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46d6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.147902", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46d8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.148255", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46da", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.148720", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46db", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.154504", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x46e5", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.157622", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4711", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.161115", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4741", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.164402", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x476c", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.168202", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x479c", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.169551", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47a4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.170043", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47aa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.170326", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47ae", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.170618", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47b2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.170893", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47b6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.171246", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47ba", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.171565", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47be", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.172158", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x47c6", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.174224", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47dc", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.174620", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47e0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.175095", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47e6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.175483", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47ea", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.175930", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47ee", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.176305", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47f2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.176566", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x47f5", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.176843", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47f6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.177175", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47fa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.180113", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4820", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.183621", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4850", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.186680", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x487c", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.190005", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x48ab", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.193323", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x48d6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.193729", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x48d7", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.197273", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4907", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.200741", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4933", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.201982", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4940", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.202600", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4942", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.203831", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4946", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.204242", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x494c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.204512", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4950", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.204787", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4954", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.205052", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4958", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.205368", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x495c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.205623", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4960", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.205916", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4963", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.208423", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x497e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.208926", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4982", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.209426", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4988", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.209801", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x498c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.210144", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x498f", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.210424", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4990", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.210853", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4993", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.211240", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4997", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.211535", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x499b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.214223", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x49c1", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974de70", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.217339", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x49ed", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974de70", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.220651", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4a1d", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974de70", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.223594", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4a49", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974de70", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.229105", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4a94", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974df70", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.232270", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4ac0", "ProcessHandle": "0x18dc", "DesiredAccess": "0x400", "ObjectAttributes": "0x974df80", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.239097", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4b23", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.240001", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4b2f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.265058", "PID": 3564, "PPID": 4852, "TID": 5364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4c96", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.267099", "PID": 3564, "PPID": 4852, "TID": 2200, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4c9a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.278178", "PID": 3564, "PPID": 4852, "TID": 2200, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4d31", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.291438", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4df5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.349263", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4fcf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.349772", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4fd3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.350434", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4fdb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.350904", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4fdf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.351522", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4fe6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.352145", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4feb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.352835", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4ff2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.353223", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4ff6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.353849", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4ffe", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.354273", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5002", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.354887", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x500a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.355264", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x500e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.355933", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5017", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.356341", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x501b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.356998", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5022", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.357393", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5026", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.358043", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x502e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.358415", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5032", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.359002", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5039", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.359388", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x503d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.418545", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x5374", "ProcessHandle": "0x24ec", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdde0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.429851", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x53ad", "ProcessHandle": "0x24ec", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdea0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.431344", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53b8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.434287", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53ca", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.434931", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53d0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.435354", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53d4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.435711", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53d8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.436097", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53dc", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.436421", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53e0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.436773", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53e4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.437205", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x53e8", "ProcessHandle": "0x235c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.441317", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5415", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.441761", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5419", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.442365", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x541f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.442779", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5423", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.443264", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5427", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.443679", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x542b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.443992", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x542f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.444318", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5433", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.446764", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x544d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.447214", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5450", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.447831", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5457", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.448231", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x545b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.448626", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x545f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.448998", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5462", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.449303", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5466", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.449667", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x546a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.454782", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x54b0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.462274", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5514", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.470683", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5590", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.498084", "PID": 3888, "PPID": 2852, "TID": 7048, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x570c", "ProcessHandle": "0x1820", "DesiredAccess": "0x410", "ObjectAttributes": "0x997ecc0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.528964", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x58c3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.571557", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtOpenProcess", "EventUID": "0x5adb", "ProcessHandle": "0x88", "DesiredAccess": "0x2000000", "ObjectAttributes": "0x667e67ed00", "ClientID": 4852, "ClientName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.579202", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b24", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.579386", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b26", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.579542", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b28", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.579682", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b2a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.579853", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b2c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.579995", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b2e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.580189", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b30", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.580358", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b32", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.580646", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b34", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.580938", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b36", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.581210", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b38", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.581685", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b3a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.582151", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b3b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.582488", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b3d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.582850", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b3f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.583136", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b41", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.583410", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b43", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.583731", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b45", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.584008", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b47", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.584294", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b49", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.584661", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b4b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.584930", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b4d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.585252", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b4f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.585627", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b51", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.598048", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5bd7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.598510", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5bdd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.598825", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5be1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.599107", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5be5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.599397", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5be9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.599788", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5bed", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.600404", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5bf5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.602499", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c0e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.603091", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c14", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.603467", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c17", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.603893", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c1b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.604280", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c1f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.604556", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c23", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.606826", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c3f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.607243", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c42", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.607863", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c48", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.608343", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c4d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.608721", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c51", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.609087", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c55", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.609418", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c59", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.609699", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c5d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.642912", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e09", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.643411", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e0d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.643936", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e13", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.644312", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e17", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.644683", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e1b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.645090", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e1f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.645382", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e23", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.645688", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e27", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.683068", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5ff7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.683542", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5ffb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.684086", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6001", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.684456", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6005", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.684941", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6009", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.685298", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x600d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.685477", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x600e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.685748", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6010", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.685830", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6011", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.685945", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6012", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.686098", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6014", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.686265", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6016", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.686444", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6018", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.686525", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6019", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.686739", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x601a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.686900", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x601c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.687047", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x601e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.687313", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6020", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.688166", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6026", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.688461", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x602a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.688736", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x602e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.689001", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6032", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.689342", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6036", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.689692", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x603a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.690487", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6041", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.691219", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6049", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.691707", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x604d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.692057", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6050", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.692886", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x605a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.698880", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60a8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.699383", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60ac", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.701966", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60ca", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.702460", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60d0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.702882", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60d4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.703283", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60d7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.703761", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60db", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.704057", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60df", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.704330", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60e2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.705117", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60eb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.709492", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6124", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.709727", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6127", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.721201", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6179", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.721783", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x617d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.721946", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x617e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.722375", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6182", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.722897", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6187", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.723289", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x618b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.723676", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x618f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.724038", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6193", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.724333", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6197", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.724660", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x619b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.725166", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x619f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.747270", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x62d6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.747801", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x62da", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.775106", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x643f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.775702", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6443", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.776244", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6449", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.776609", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x644d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.777020", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6451", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.778777", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6466", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.779075", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6469", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.779590", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x646d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.780525", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6478", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.783165", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6497", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.783655", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x649b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.784134", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x64a1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.784699", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x64a4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.881303", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x6a03", "ProcessHandle": "0x2624", "DesiredAccess": "0x400", "ObjectAttributes": "0x974df80", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.885997", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x6a3d", "ProcessHandle": "0x2624", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e040", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.890765", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x6a79", "ProcessHandle": "0x22f4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999136.945990", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d5a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.946258", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d5c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.946469", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d5e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.946652", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d60", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.946806", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d61", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.946975", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d63", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.947150", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d65", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.947315", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d67", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.947583", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d69", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.947881", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d6b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.948169", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d6d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.948464", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d6f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.949184", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d73", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.949663", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d79", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.949973", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d7d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.950277", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d81", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.950552", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d85", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.950924", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d89", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.951253", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d8d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.953270", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6da9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.963916", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e3f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.964409", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e43", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.969129", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e7a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.969539", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e7e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.970086", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e84", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.970579", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e88", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.970956", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e8c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.971331", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e90", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.971592", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e94", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999136.971833", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e97", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999136.972394", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e9a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.008336", "PID": 772, "PPID": 636, "TID": 1544, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenProcess", "EventUID": "0x7083", "ProcessHandle": "0x708", "DesiredAccess": "0x1000", "ObjectAttributes": "0x24890fecf0", "ClientID": 5388, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999137.021074", "PID": 288, "PPID": 636, "TID": 1520, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenProcess", "EventUID": "0x7110", "ProcessHandle": "0x1f0c", "DesiredAccess": "0x1478", "ObjectAttributes": "0x72d7fff800", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999137.035120", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71c4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.035534", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71c8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.036032", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71ce", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.036416", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71d2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.037010", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71d6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.037422", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71d9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.037820", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71dd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.038171", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71e1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.038745", "PID": 288, "PPID": 636, "TID": 372, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenThread", "EventUID": "0x71e7", "ThreadHandle": "0x234", "DesiredAccess": "0x40", "ObjectAttributes": "0x72d7a7f3e0", "ClientID": 288, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "UniqueThread": 4464} +{"Plugin": "procmon", "TimeStamp": "1716999137.039726", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71f2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.040107", "PID": 288, "PPID": 636, "TID": 372, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenProcess", "EventUID": "0x71f5", "ProcessHandle": "0x234", "DesiredAccess": "0x400", "ObjectAttributes": "0x72d7a7f3e0", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999137.044617", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x722e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.045106", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7232", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.069534", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7333", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.070044", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7337", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.086645", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7408", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.087103", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x740c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.138148", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x76b8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"} +{"Plugin": "procmon", "TimeStamp": "1716999137.140571", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x76d2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"} +{"Plugin": "procmon", "TimeStamp": "1716999137.143437", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x76ea", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"} +{"Plugin": "procmon", "TimeStamp": "1716999137.145259", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x76f5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"} +{"Plugin": "procmon", "TimeStamp": "1716999137.146726", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x76fe", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"} +{"Plugin": "procmon", "TimeStamp": "1716999137.149063", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x770e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"} +{"Plugin": "procmon", "TimeStamp": "1716999137.156950", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7740", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"} +{"Plugin": "procmon", "TimeStamp": "1716999137.159596", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7751", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"} +{"Plugin": "procmon", "TimeStamp": "1716999137.161561", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x775d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"} +{"Plugin": "procmon", "TimeStamp": "1716999137.163776", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7765", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"} +{"Plugin": "procmon", "TimeStamp": "1716999137.192940", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7857", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"} +{"Plugin": "procmon", "TimeStamp": "1716999137.228970", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a02", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.229468", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a06", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.231741", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a25", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.232190", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a28", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.232850", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a30", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.233172", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a33", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.234724", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a43", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.235138", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a47", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.238346", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a6c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.238752", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a70", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.240007", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a7e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.240405", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a82", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.241328", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a8d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.241726", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a91", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.242702", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a9c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.243005", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a9f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.243565", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7aa6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.243950", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7aaa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.244886", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7ab5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.245261", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7ab9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.267226", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7bea", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.267614", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7bed", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.267967", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7bf1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.268512", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7bf4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.270241", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7c0d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.270545", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7c10", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.302735", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7d98", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.303139", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7d9c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.303662", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7da2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.304034", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7da6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.304405", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7daa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.304985", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7daf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.305343", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7db2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.305780", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7db7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.307873", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7dcd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.308362", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7dd1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.308917", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7dd7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.309365", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7ddb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.309801", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7ddf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.310179", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7de3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.310492", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7de7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.310810", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7deb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.312324", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7dfe", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.313031", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7e05", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.363190", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7f2c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.363765", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7f30", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.382089", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x802e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.387478", "PID": 3888, "PPID": 2852, "TID": 552, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x8076", "ProcessHandle": "0x25b8", "DesiredAccess": "0x1000", "ObjectAttributes": "0x8caefd0", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999137.392311", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x80b7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.392763", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x80bb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.393201", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x80bf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.470902", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x83e0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.471432", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x83e4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.471836", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x83e8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.472204", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x83ec", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.472717", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x83f1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.473161", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x83f4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.492027", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84f4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.492217", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84f5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.492461", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84f7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.492617", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84f9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.492793", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84fb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.492943", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84fd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.493099", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84ff", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.493250", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8501", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.493562", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8503", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.493764", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8505", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.493997", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8507", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.494190", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8509", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.494415", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x850b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.494632", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x850d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.494819", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x850f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.495002", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8511", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.495216", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8513", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.495416", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8515", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.496940", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8517", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.497122", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8519", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.497350", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x851b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.497537", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x851d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.497788", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x851f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.497988", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8521", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.499176", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8524", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.499687", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x852a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.500062", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x852e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.500352", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8532", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.500638", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8536", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.501111", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x853a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.501457", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x853e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.503464", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8555", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.504002", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x855a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.504426", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x855e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.504863", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8562", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.505260", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8566", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.505578", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x856a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.507587", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8585", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.508087", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8589", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.508645", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x858f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.509078", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8593", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.509533", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8597", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.509912", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x859a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.510239", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x859e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.510549", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85a2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.512713", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85ba", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.513164", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85be", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.513693", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85c4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.514104", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85c8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.514490", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85cc", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.514892", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85d0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.515184", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85d4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.515489", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85d8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.517533", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85f1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.518106", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85f5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.518639", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85fb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.519055", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85ff", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.519469", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8603", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.519869", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8607", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.520218", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x860b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.520493", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x860f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.522450", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8629", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.523096", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x862f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.534552", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x86ce", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.535078", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x86d1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.545751", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x876a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.546251", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x876e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.547085", "PID": 5388, "PPID": 772, "TID": 6920, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8776", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.547675", "PID": 5388, "PPID": 772, "TID": 6920, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x877b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.549365", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x878d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.549763", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8791", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.558921", "PID": 3888, "PPID": 2852, "TID": 552, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x87ea", "ProcessHandle": "0x2274", "DesiredAccess": "0x1000", "ObjectAttributes": "0x8caefd0", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999137.560891", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x87f3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.561311", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x87f7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.581912", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x890a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.582342", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x890e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.585983", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x893e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.586371", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8941", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.594395", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89a6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.594787", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89aa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.595388", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89af", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.595819", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89b3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.596212", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89b7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.596570", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89bb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.596896", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89bf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.597242", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89c3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.597783", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89c8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.627771", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8b59", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.628340", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8b5d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.634823", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bb0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.635348", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bb4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.636078", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bbd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.636458", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bc1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.638269", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bd9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.638648", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bdd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.639914", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bec", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.640342", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bf0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.666830", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8d27", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.668068", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8d2b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.673826", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8d79", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.674317", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8d7d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.692110", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8e69", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.692558", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8e6d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.742772", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x910e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.743325", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9112", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.751208", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9176", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.751652", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x917a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.752220", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9180", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.752634", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9184", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.753042", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9188", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.753436", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x918c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.753767", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9190", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.754087", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9194", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.754702", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9199", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.791250", "PID": 288, "PPID": 636, "TID": 1520, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenProcess", "EventUID": "0x9370", "ProcessHandle": "0x5ec", "DesiredAccess": "0x1478", "ObjectAttributes": "0x72d7fff800", "ClientID": 5388, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999137.808927", "PID": 288, "PPID": 636, "TID": 372, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenThread", "EventUID": "0x9450", "ThreadHandle": "0x2104", "DesiredAccess": "0x40", "ObjectAttributes": "0x72d7a7f3e0", "ClientID": 288, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "UniqueThread": 4236} +{"Plugin": "procmon", "TimeStamp": "1716999137.810108", "PID": 288, "PPID": 636, "TID": 372, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenProcess", "EventUID": "0x9460", "ProcessHandle": "0x2104", "DesiredAccess": "0x400", "ObjectAttributes": "0x72d7a7f3e0", "ClientID": 5388, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999137.902511", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9971", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.902961", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9976", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.903332", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x997a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.903624", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x997d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.904006", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9981", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.904308", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9984", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.904797", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x998b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.906025", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x999b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999137.907243", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x99ac", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999137.907763", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x99b0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.008242", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9e8f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.009550", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9e93", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.029988", "PID": 3888, "PPID": 2852, "TID": 552, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x9f90", "ProcessHandle": "0x2620", "DesiredAccess": "0x1000", "ObjectAttributes": "0x8caefd0", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999138.055427", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0b4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.055903", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0b8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.056419", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0bd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.056889", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0c1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.057336", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0c5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.057787", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0c9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.058120", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0cd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.058423", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0d0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.059417", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0d9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.083396", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa1d5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.083865", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa1d9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.191235", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa7f7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.191649", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa7fb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.192228", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa800", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.192631", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa804", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.193021", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa808", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.193402", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa80c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.193749", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa810", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.194068", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa814", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.196168", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa828", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.196595", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa82c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.197116", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa832", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.197526", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa836", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.197941", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa83a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.198336", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa83e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.198626", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa842", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.198948", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa846", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.200237", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa856", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.201308", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa862", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.203837", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa885", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.204359", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa889", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.208915", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa8b0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.209316", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa8b4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.218109", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa91b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.218525", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa91e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.219083", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa924", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.219496", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa928", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.219917", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa92c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.220339", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa930", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.220756", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa934", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.221088", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa938", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.222528", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa949", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.225653", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa96f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.226113", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa973", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.278433", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac1a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.278933", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac1e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.279516", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac24", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.280015", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac27", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.280429", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac2b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.280891", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac2f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.281210", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac33", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.281556", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac37", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.282335", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac3e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.287121", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac75", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.287536", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac78", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.342652", "PID": 3888, "PPID": 2852, "TID": 5152, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xaf1b", "ProcessHandle": "0x23cc", "DesiredAccess": "0x410", "ObjectAttributes": "0xa07f940", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999138.348130", "PID": 3888, "PPID": 2852, "TID": 5152, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xaf38", "ProcessHandle": "0x2274", "DesiredAccess": "0x1000", "ObjectAttributes": "0xa07f3c0", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999138.374085", "PID": 3888, "PPID": 2852, "TID": 5152, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xb09d", "ProcessHandle": "0x2274", "DesiredAccess": "0x1000", "ObjectAttributes": "0xa07f430", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999138.386542", "PID": 3888, "PPID": 2852, "TID": 5152, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xb142", "ProcessHandle": "0x2274", "DesiredAccess": "0x410", "ObjectAttributes": "0xa07e320", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"} +{"Plugin": "procmon", "TimeStamp": "1716999138.453231", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb4b2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.453883", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb4b5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.478495", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5e4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.478905", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5e8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.497846", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5ed", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.498357", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5f1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.498801", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5f5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.499229", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5f9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.499629", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5fd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.499955", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb601", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.500754", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb60a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.503133", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb62b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.503693", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb62f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.506301", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb64d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.506854", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb653", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.507237", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb657", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.507661", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb65b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.508069", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb65e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.508379", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb662", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.508703", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb666", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.509457", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb66f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.519007", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb6e2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.519524", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb6e6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.519974", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb6eb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.520360", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb6ef", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.529420", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb75a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.529882", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb75e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.563501", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb926", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.564020", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb92a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.618953", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbbe1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.620515", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbbed", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.621029", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbbf3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.621415", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbbf7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.621985", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbbfb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.622387", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbbff", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.622716", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc03", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.623050", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc06", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.627221", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc33", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.627921", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc37", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.628540", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc3d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.628831", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc3e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.629257", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc40", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.629640", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc43", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.629916", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc44", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.630318", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc48", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.630500", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc49", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.630856", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc4c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.630983", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc4d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.631389", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc50", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.631590", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc51", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.632144", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc55", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.632513", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc59", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.632982", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc5d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "procmon", "TimeStamp": "1716999138.635565", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc76", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.635742", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc77", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.636121", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc79", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.636340", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc7b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.636652", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc7d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.636977", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc7f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.637435", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc81", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"} +{"Plugin": "procmon", "TimeStamp": "1716999138.637955", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc83", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"} +{"Plugin": "inject", "TimeStamp": "1716999134.223756", "Method": "CreateProc", "Status": "Success", "ProcessName": "C:\\Users\\litter\\Desktop\\malware.exe", "Arguments": "", "InjectedPid": 4852, "InjectedTid": 6020} \ No newline at end of file From 144572e339987375991090783455880b344032c8 Mon Sep 17 00:00:00 2001 From: Yacine Elhamer Date: Tue, 2 Jul 2024 00:03:55 +0100 Subject: [PATCH 2/2] use .log.gz --- .github/check_sample_filenames.py | 1 + ...19c88993bcb645e0357f3cb584d16e7c795.log.gz | Bin 0 -> 67712 bytes .../drakmon.log | 4001 ----------------- 3 files changed, 1 insertion(+), 4001 deletions(-) create mode 100644 dynamic/drakvuf/93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795.log.gz delete mode 100644 dynamic/drakvuf/93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795/drakmon.log diff --git a/.github/check_sample_filenames.py b/.github/check_sample_filenames.py index 25b5ab2..4788698 100644 --- a/.github/check_sample_filenames.py +++ b/.github/check_sample_filenames.py @@ -32,6 +32,7 @@ ".cs_", ".py_", ".json.gz", + ".log.gz", ".BinExport", ) IGNORED_DIRS = (".git", ".github", "sigs") diff --git a/dynamic/drakvuf/93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795.log.gz b/dynamic/drakvuf/93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795.log.gz new file mode 100644 index 0000000000000000000000000000000000000000..09fed52e80cec095f0c49ab1c870a989b3601494 GIT binary patch literal 67712 zcmY&;V{j%+6K(8`ZQHhO+qRR9ZQHhO+t}E4p4i^I?^n0#*8Md-Rb5^4<8;qC-Axb; z1(nMdYz_p<#bV5C%EZaa$i~iY&dO$PWX#UNYG!Q0!DYl{%EV>D$;tK4#l)DMmCcNi zg^k0U#l)D6lhu@o-HhX(6C1s)g9Xr)o{q~_N0Q&30aNN(BrL}vv)W^V2~YC!x=YWI z=~u(1^gYO?woDPc7};DV_g`NpA~R`Xs>l{oX`!U5b<3cyi24OE?DMfb2Yd0y&x7Mx z27%uD@?j@t&&Njv2m1agsj}#zg>xC!oX|;)%qhuedhud`ug2w}!F_VM8x{YrrOyM& zIf&ry15)X}*wb3yVElr;M2K$4SPgW+Udz_sb%N1d#n)A<0Be5g-vS zh(2DWhZESpcgivF(ev*WO8VO(c_ z-|PE%dNrgST#*W#gEz z;qcA46G>v`R9DzgY2$(sm70P^icM)qi$~&VqXhats_t$%+L=FjJ?|(MB*oJe3UjR0 zl&8wE#V3ixLqOf$J*mHCsZUg~Sw1D zBdqD)Qa+>|hGoS+lqDI>UGH0>ji`rdrTTF)!x4c2P1EJLp=TH2UsU6lOt2R`Dkvnn zMBUS7Av7D_qr;y@+|#T>(-b-iLKJ`|+*msdx=#^)EG7E85WjU#=I=V#=UgbknHD9b z3;}IgwA0^XAw<4suv|%*wDyHJ(Hc>Y<3=vYd#3J8IedKzr9HVH2ahz0Vbr6Zc2l0A z9Tfnz9q#%`pvIy8qy-<^R_T5P<5&@ce@J&4*HTkHIf^%vjokO4&7xCDAFGqO%wOY_4_#IDNy_vFngcwW_zKS=Z}ErXT= zKI~G!ekRx-?M^KoGwnc(_$dL(OZ!tn+A5WZv^#3QE67Ykflkvrr0(p?Vr~5*5epbo z^1}{}I@=t&CeaWZlw~9P@EsrPI{7WPtTw}F9`Ewy_MY@0p?Kne-Em^S?D5M6SK}oJ z1L(#{>PBF0!m}d#-i0O=4q*1HDFY-g{borULHPs98g30s7kIeu&n(KnP5kP1aQTZGw zaVw+d8sDZTrCl-L#B2<&LD1q;@qUva0fck>79Sh6Bs+~<;7z?PqHK+SVI(CCcPAP) z!*5URJ>NX2N^Zq>Dn5bCsmU3MnKwLNX2HvYoO_T9H8sx zH}|};%P7Bt3j+^kDucS7K92*`7s?(PXM;`=*q{-H>O>9`a50j$5YDRVIc${;!?6yz zapA*<8@D)#XR#ea?8aFDM;n=*Rrt!6E00;B^Ns+fJ?1Aqg`DwObM*T*?*?2%$PwTT zh6L9tIB=_smfBhl9^ARe1xSjp@K@%got4N&3e5670^B%y&ad<8E`_Dt-?9iSy=rV( z8uG$m2#aR83A-RxNR^Egq~A`k&zAS6YB8IW9n-J9QfNzQ8EX5n_GD4)nmB4>J`NBl0WRM;kk%fsXG(vQ1L=&KTkkt~$ z zQC8V`%7H}h`!3YGxd7vdyy(mSuQGw?}wE!ui zco$(8q1GnOtGZ5XsyRCp$1@VHi*nZJJy3b3unR^au>jsVvCKu>X0L~NRrE}g`r~86 zb)aGgsSScSTbP7a(vJsuLDmsls!2U_6dV>0G|ZfD@^Rvf^+z0X=a*EU3lR2D*EtdJ zP&~h4kO6i2BkmRL&FyrlI%tiBo*FC$uTj~itZ;UQaOS6O_P%UvADETn73RH32BmpF zNY*CGuBls(HvWfu)6105#bFU-fu8VW$6VB>>Sf$BqmFbBj3s1~xvA>~G%n3&*iaSl z!fDgjB(?+TS=MD6i_e~KT3UwqK%o|0PWZOT(KE%B1@lIpW`PCo-jqkhr|BO8Ds?m4 zLzH^*dDE?)R8swctXAC;V&DdtcsKzq^|{d^F7Rl3AyDKu`lvgZ5%lo7Y6T zI(FGx#*Dq?--R9zm3cY}I48w(I^kGPVr`^-h4;KpRC_-nou_680bhSH!f{Act>yaUV4hq+&o2a+ad z;6uFKx~HrRK{^MPKg($Kk@Ef>{Q8eI&7APP3Zd9%Bl%+EA%>PXGI!-o*$I^KmXz?jX|w76RzA)E}R!eufE(!<;;b{E(Lvg@w5J z3bg!;A{3@}QGAqqoLM^_?#zNa)^pR2bXRdFO|dgcgqHBX?7K44)@Bso1;45_8AsA2 zdgg1GUu3CCcLOE$HjdgvFBj#{+{{htyAMW_l>8;kh4AVd?~WwB@=o0v5j-<{zmOrc z8zgu^MlKpCy0SNX8!&9m8LUU~!-4P-yq_V|HfrNWj0g+^hwvg*nvc1ov-VO&6|GZ9H$ZbsPVzaPKgQs|1?bN@HwHv1(-6!p7#0U9dy2pCYoI$0L zn?(4^|3^i(DZ4>xF#&D<;!co8L-=0eFDqFyh?qWyLGvb!MsWI%vHMmZKi4 z#qj`nU&u?Aq)4tNY)514WuQs{oA>UWtmT(4l*oj9IRDHc|DpxYiHmelZucG)>5OG! z*$|PFByN&Ajyc|c#qt6=AvYO`>%TI4f62MM?%BV*EGNS!2*yWbfK*%)zOF4YBi=5M{7-{540)?nC#jijZ&$QjFvj@*ts}`PdyE7Yu zLv6LC=9eL?9VLyB6HXxbc69Wm+4x24R2WjQM9WgYpJ(KF$>Z5^XnOh;{oTMG9X3Th znGP+5XNIAye4yOQMSSFJm}aNEYn9Ln-p7= zc{VvW$Hr!wt@G7=vLVWAiwnpy^&L~a>{fzwf}z9{@DAfBdd#a$RIeRFZFB{!j$9+O z%1kbNrO^Brc^dZK9wx#?xZQd&T<~?-@Cf6vfObK}xbc!`L1Ta$L283(G0YDFY|EZy&gl<<8=#lrgaEYqhv_-KxCwv24$t(G zAiBMpj@vgtVzs;W6aZli17KYdmXtxiklbX7-A&K54SIay*f5 z*+|MbP6<)72HL)fwO(xXwmhVZ*l2*XT5rOfAnACaFGoH@*OXijd2@-RVz%*J>$&^b zNy>hd-TUHXsiDFaTzBc)g$lg;Ik zXtgn2yW@4mDc`bDp*Ma7s+f|L1tZ}(t_l#K_v`djI$qxUJdvwQnQ#=;@ zqS%p@vN-6-h#M2fcq#sa${Zp;j)C&xvT5(je)l8p??zTahSshWEn5@L7HtcqA5E~<p$f(of8TnAky5 zlqrxKCifl!S~*X^xlUCHA3uC_cLf^H@5Es@VGuVooO5k2E_L5?k>PoccZz5XIV$9& z$o}qnEqM~lACtQXeTbpD)gayKlqUoX*f3q8 zXIYR`U`%uMwIk{K!ML@+U&#K`xeEk6b3e7@%8742T;Jry?C>0jM~*s9;)HOd0e7&--`~L+nrtdVBQjrq=h=z2Ok!E4?0-!x5aCQCrtr>9!$~i z9dS0zP&htvOhh|7S-r|Gl`R_r#}uSs^@Q_8i$4mlW3+9z9=$1A$~dx+21)c1ytN6$ z3^Tkoc}2rMV=g(qA)EaujaG}lNB?RgV7aqwHvD7uq_#bx#9@EL*BRm6^tOP4c|ZyE zeP!@V@Nl1S3He`r4ZJ8f?Jiso?^{pxY!_EL(@4!oF5G)zPc%SnvSAKJs6B3_>yVJ312FV7B%cE{dK zW9FH8mK$euTJuRI;mtUcXv?o9qDL$Qn;)Kqt>TW&k6_QjkKc2~hHIaD>lYP3uE1|5 z=AJ55X5#xCf4KsP!(Bp?s>Y{6T)%3ES*rih#B-WJ^f}y)7C(M^K?XxUE97t6+=TQH9b`qG6hN zh*pAfz!?uCzStmUJE+32lamH7`1QaxLvmrW$(a-)(pfA4glO6cPz7$2l}MLx1ib%f znPZ0FGiSQDT)j#?*gg0JCb<--+@n6c4kyw+EK%aJFU{5Zg-%mo&9PV|-w~ovD&e83 zc;(}5m3`CddxQ|I+?k1RL=D}rMDfjlW7)gm2i0A)W)Q=~gLnxivMR0j4`ZNl;^y)>o?!4UBhL6BXU(5i}Vh!gzUQQ;3w9n<~B{ZH30PAmHYGy6~BA9qkq zF&e{1fF1^X0SQ_Q#LOH?w0bBBB&Qp_#^x~eA1M^g^884vYRsM~EmbY!tLVAywhYVx zty1YIj8+d6oZl?&=v2{A8J4SRC|_9_49kX<4chP_WQ=ZAXZ;JxNhm;^uxl&BJ;LO1 zxph%lC~~p2aa*{d&HngYPjQ&b0r8HBEKv95HS~dmE#B=FBMX4_QLbg+W^lb&MVOqc z-E%}Y^97h7;Ld^^sn_mtnToahky7grthD|mQ z;z9er+|4T>T=rK)@h-0L1$97ubI%hV=`4)9WM{Bs>}eD!1|eIRn_)L(c#BarmX7B4 zEYsZMpoVgrkUn8XMoJX*$Wp|FbPy4k=0XrYo0*ZpZr>V>k)uU)|6-k~V;>r}{>(m; z+^U3ZKGZatN_$&_CMOP%>KO6g*SIq%!%I2W-zQ6IJ=ht(Vm*c6h4<#}f$MEs;#)8t z3jji+SW10VneTQr118;HDG~PPvFY1Q^^7SoxS2YEuSu<(3c|RL@=?)v3Hr|2-D%0z z*dm7ZYtS40hg4@x!d7)0ld<-v#|rIw+tzl?vZuy#eyCxlU)6N4(>L*g8H62X+*Kr2 z-}a3=o`B|^-{q`V@#k_BSHBXxd`nVnI}^X3pBMCn z>^d*KMPX*TJi%%}9{dO=8lDpZXACtm&u=i{fq97F3Zm4Z@^fBgi;XdL4@C|5>Y zILKlS#-zljGp(b0s|-$3_{jfM`g+X@S0m%ogNS?lU}UQ&PEiP7%xL6eO@4PdP0VW= zoNA@#Fx3T*opr?uox;G1H*Tx_=ng2=i<`6;?ZTy>&+wg&&0JDrB+pFyKhlQ1sq&Fd zaB8bl`UtmRH$U&=o7nX@*b-Eg}ML-H^lO6f~ zc(OB!8*PEp+8V4spnrv0XYcG%^P?lZKu?-AE}?ZCEo|KttP13{Lw3)&0hP*|yC zA-HF_oneeBIUGZsQdk^6JatiUK3U)&j~{)nXVux$Fn;5Gut1DlEQEHE;qu=Qjkp*$ zTQ|oXL{0kvTvY+(beju3;7;#P@(N76Gc9?vGBZX|0Z??F^;5Q;eY>C;*;rF9_qmys zh;xI=PJaF&R0dQWXgyzp?as*GiKfGEpRJ36fAzDpg+0nP|1Zm=dtaC3i)*+5l|j}E zhoM~sx+=8|2^{%!tk)@w(y@lg+V^Vq8N$vnW@k?Z>V&;7M* zj<`MurfyUl`KEYLlOf~ZZ*?@P=%fxQvMJh3Ov6no<>PT~wX+;!=s{3&pt|J_${@f_n0Hz@v zqdvBH)717lT2HVzXbSKYQ0c28`Lx5rmkA*MQq3nL5}I!(w^rrMZPOG<_bD1SP0P_9xR8W^bz_}aEBC)VYu{m8J> zC$5n)tYE=osh0g#yyZed^<1)LCE1cjo5WKeBb&NtJ8Oe|xTU9~A`)o8+D_zj)q3X9 zKQd@R6I}$k?GVLq%d%_NHdY2`F?m?u;nW0ZQHRjl>v@YoZ0qIOlx;KER7;Xro^YRY zisqUlG#@Eso^uzwW>R1@+l^j5EqnR?1Ko%7?Iu_U+82l1<9C3M+e>Pt&Uek&>u_imQ3)N69bHHl@D%C#ao2?e7dr8xF(hWKQL-Gndo z=bqN`n@gL6&kw0KtZ4e)b4uBS)b zkB^HaB@PY__cmOOEp?VB>U`Md7`EVOF4=B2Lvtjdo6}toBxg-%^vU9Q!kt8p4RBsf zbX+s-s@O4FlftczCA)g>?)TB+_kT}kxV^byo!sm3H)xuBn*UVlC?+wP1~Lg?8sOxJ zv7RKvvQ0fb4>z620peR?G$!2^1>u(VT>e{%PZhrcsaLs;>>bBu?nJA5tJN>lmrQNs9$hyZ(C76Pm1> zTDSlkP513G+)i3%Yv4h~iPgyw36eEmMnE2` zp{TAOINC&8&}|k_uAXom0!@LP{XC`E$uNY<3)W|tE>xG7VC>gDB?*40khHS(RultW zN9iNBmS`xfJ1ZEf*6PPa8e*7CF6%T}^ddNCqt#R0W$!I&y*;_4_D7kKPH3st?E-0i zOXe?^U`HJ2f+he@03D+NRi;D-1xGuAO350K2ej_~Dly(Tr=e8rn$bZVFOPBkax1$B zY{&<@qV7N}B>Ooe+|)8|VMS2=9+kV!?CpaHYKubk7q`0Gkaf0-)jw~{ zysoVy5K%`emK+>8DGF>N*C=gGgC6ewo2aor=;!v0_68e@<-yXz=ebyLA6_kq}a9C43Iex zOTYzih6%Nf2S};3^u=G41~q-nTO9rgppMfC!a@&BiBb?4aT}(kU7rkCwvlHL`U+k^ z+b`(NMK5EZHnw!(JxFA<)VyayWmRvO-}p5(k|6tH&pyi(vWI>-l~=6lw&?1ul-f_Y zJW!td2Q_6x&R_uB3^W2HF5>ENTw&Ev4?j5b5!c=OhrxuMN%G$rD}U z%4m1cazc!UN)B@!XR>ljxHX~fKomq-WG|;{UQ^s|t{NVb@QF-a)JGXulcYv&A&n*a z^+KLbPV?i#iPWc-z-*eq5jG%QM29S;6)(zEM-**5Rny4`)ODXSX%16A6-HEDC;E<} zHI`FBujah192t}oP0Na0@WQd3g-~!Il_){zZ)gv@GF2eO^tQYkIw(j7`|t7Z_)i9d zAgP&&VN+B(^J%RlegAp;jyQ9a?{gZy$_rz5eSSu2s|hGl(kNt13WO_cU6D$SA+``i zURev3=K(=UBr>m3(hu61)L-w>i%xQIHkcCyBKYh+r+1md7V!C8{~6^UvXA56$=LDr zw?P+_O4ARRgBf|k6sO9L{;r4a;SWF%apS#=P(bj*FdR0eZQ$)D{_fv3Mu_53LD7HHzV`3Up}UPzasKxWLE!QY zGuIXZxs);KQ+K&tzoyRi*4OvATXva;dMXuCt?v9?^Cw}J zkG}qoBFpQ7k_$rv19+D9Y;Um!Z??Bbp4)t43I^+IU~%&2x|{#Il9Y=dvw4{Z7<23m9^X8)PO;L7FfJW7hjFiv8%d8R>u`6BZveaLEFqgkS zU5YkZ8+;+%jaB1&6dzn{W_W0PGF{UFCId|ScL?L5r_)?OnGEKSC-Y`%GkT1m|IqX5M$Yt}MRR@Ws9kUb7sYopSa3lPA`>jolyQ{|+tnHJFpd~c z{O<$K-Kf1S>hmzoSm-Nc(*@6@iAFzRb-~Se6XRAVQt54+bvI+&NK$*+ZT)>+GKvYw z2YXtQaQB}Z%gR@Co^=1sPJOJ^K)6QlF`g3XbUzQg;T?AxT=Ti!v8E_oN=D zBfg~`+Dh@&R*~PDmIf=vRby*|KKLu40wK~x&9q;@^8pqEk6w4UyP8*vfguZrXS}%# z;>k+fA7xeX2}s9hR1*Az*oeO(asb!SHZb7GyD1?P_z(8(*`;-9727j0d&gR-`e)#~$7C;=t;4`QYQ_Tn$u+mfp%Rfpdk+NJ2uPfS zx##B}h7FQZvxO;BE_l-3fyEp}A1#8^ong>?ujQByE|Yx;DB}sWB;B)40o^z3787KJ z0#e1X*QdhrJ5dvB?b$R*rj{IQ%l32r!>3e6syBj%D$ft6h--?3Yf;P@hC;+{g#E1K z0VJ4&XaS!pu|1(Z$c-i=dx;Oy*0rqXy829np&V>fStqHk_F!SqFiZ^f;!31ay**O| zW>MIf8?HQ2H$kHhRG2n{t~~H*)4o#XxA22EJ95M`U+7n`jn|;R*3iT{8pKk`5(mT)fZaO9U^?c*bo;hC@7QFJNc<*^t_$}&ME~as(xwWa)e5JuF^ew`gV4G18omG%G zh;@E~kaH{Zq-aqoZULi|QI>3&2(cmv#H$ds3uFp(_zRKm>Ef)1ynrI6*hpI6Qu@QA z3NU~51UcE@>K${8`*G}nK7y4MzX!timjCzN$KNIYQmm1g-4TM2WA#cR6~d_pQ!Y6Z zKNL)o1vDc1UYcl@y*2rSjGg*V6LcsicokArxvnk z!?lW-WeBNBDo}=vEzOST!9!QpxE{WPs+? z!32L|CVu`${!wDyb7gPbHA|Xxjz|C_f#k10nZ7W|+r(J2MXo)A_2r|71oLTCjM5=k zdi=G@a>k#?q_j|cYaBR+%X4}7-M&A5l$kAW9L4=#tkI{(CVf1Iv>OxV>2scU1qht481t`U;*5>9ao!Eucs=*w#h)p>S~ zV7c!UT&%yAK5SjswDf%m2(WOWaX=j!;QuVINPDub4Dd| zQjw`AlFk;seJBwJEQcIscXmbwdsd-ieSACmD9*5M&6DgxmvJn-Fv7WuYh6$>;PJ77 z^-th;{TlS2-A=aN*~=D@rMb!Eq)syzp$40FG1+vPFLJhm$qJR4>A*$5GaIPfRe*Y5 z((PHL1R}aBRti|g0T*9V<)aT$RWJ!w3-B^U!~FMn2+n#S`Bq&ds9WA)jZWch?`c;; zjfU&WlEIpjs8s3&+eJcgM+v(W{XyeftemOdacDFQQ!j}>J6lVE7r79zWxuh1b=HHH z0WSqyxEXoL1@a~VAH@0>XssJBn-RvlO#VzvY$s}$RJ*EDxtDSmiKYocIXZkf&xVk) zo)@m7vgq8O)PJ@UJilHq(VHJ)ZXy8{ay&O}dVo_pv6|ywsQdyV&P_i;1-oc*)fp~s<+#~o!Ql(?phDdYeL&EDBfanb-86#P@NeXU0-!Y8521J1ah zdw28mvQ&S2v-@*h|63>TW-Pnvvh3!)p%$ZO1Tv23kWBt=hba;5yp;6sYu;XWZF9F* zCiGm7(e|uxde{wr1-vX8$l6QcoI}wLCQXqOCiq3a&EiY)V~#Wg;XgJV(J!d45e-b0 za90lDSPMxP<^^E2=KhMAt9DHCgdU zKb+!)GP0Rv`Uch=1EN{Cv6et!j_$wl`mz*Z;nEB6b2tIeO7GmaYXkU#~SPQ*5rTpVPL!-n1;4-=&CYf zC4>k-0jfjT8y?CSI=>nJ!ks>PCWtGnR`5fMF9FPOZ(ROx5=EMJhrWj*=6amARdh{H zaY2uIF8a#DmN;8jflGNL_v{eI(W|F)J+i5;P%h)L!Y;^t>ddGvl7-r(NpRYyiW54$ z#0s}>q%-9(0wGyhB$S-1pMqBWWj<) z47l4T;VYKW2dPUPW;uK4g3$pN)VZRkDqNKjKL=X&M4_9wVQ}8Ef8f$1A&5-Au6^Yc5;#< zRBEK0QWw^3MYg>@$7B?LT?+x@OnZo6BWe`AUKK@X2@>~}<62#>Tw7zFtp?4#c7_k& z3x1pm;p6xQ+tQ-oTc3p%v}YsGx8%@Jl5k#U4@a`-4g18SNfjNLy|ubPk!n3Solt&7$gH+C zij6GRnfkSLNwkf-9QRUl>4^eUa^oiF65J)^&q|}a_>JWmfyjQWXG0{9u;d^#d^m#- zGUj{`=kVvfP66a!71rpVZwF*1Bd=Y5*>SB*c9#2hpRH+98-u^(K3_IZT$rU-6_JF zv!Mp+Qbp(=%*#HpTYR?qz22$DMg4$&v$HTLfQwrl8Hd&O{C!t8o1MB7WY_mf$+d*MGq}yLe zQ6H)8ph^|Qig?#{^~LreNI#0vl}$F~UQ|LrTmLqErUT3dm<_QS;QrH6Y5%UJDzw8+ z&n@F>QHmIqIpO#kJV8h^XA0K5_4i29&S`Q^g@RSI&>%!3>n|)H4pJ3x5FwNi`ek`# z|14H>kj&+5BoH6VPFWcqkkY$YcRBR}K`wQJWiV6Hw5t?#!j>gaRV>%yi=!1Ercd^$ zm7*%Fif=c)!N1mr(oiR*NE{(?7h-xDZ>GVK3_gL@@KVN?0Pq_)eP&7_9)Wg(Jl2>b zlw*{<*<^C8F*+OU&wZ(3%nr4Y3$21cQ{;dkIJV2{Fy0)83Q#V-rJFytMv3&rp~_1p z8MI?927ai6Nrb1+O~S7K@t)bK0J~SMsoN?*(MsA@8>*fTZF<0C#q&MKcTN|xrAK>2 z{BYu@`@KuvuIOL=SoA5;@(O~B*giuA_^`Lnbb+mDP9B}=ae*`IkMNK8m+PatD;!eJ- zUJT~2iMfu>y=4)gY^Uy;*>9)<**7!>Q-%b9!fMX~eEr@4@J4Tf-0q|4mrE(S0BnEa zm}R3sRlac3^TzxiLW-1YJ*NHz$kc0%Ot`OSR_BHvwR`24sUh&%sg z*OadrS-OuyuUkN5LlF&$>D&Q-{9^fQ^Z3RxFBWJ}E$>$M$YHlyjV0SxZ&rX-d{5luxg(P^EHoE) zR?z#aE;6i*EM$gsr`QvX9=|)`(Y!c%44?b$Z|`3ZeO)l9>hOx#K(M zlaQ%sFb6X!|Mq!daJ?TY+1(-|e|v8id}&{a?uz(e2H6-8nY`YoXaHiI8UEJ(O5zV>>RYni^7;;FPHhUF$@$qM0fRJf(iDJ-}<3F|-I+6Pso_%bi_n%`hQ8!}P zh6)lXl`bc?ZTdo|TkPV_gAD0lg=(mYkJ&-b`kgkfa^M>-bnBXyM%~2i-kNhZsl^%x zJVBo@s>=YP92`6aJPy0xz}qFywp#PhQq_2WJMzCS{G#x{oylhyTelwvlk>qa^)j*E zG;pyfmQ@8Cu;N@43=qQCx;%w@>4naoG(wUI0$v|+Cd0Fd^=c32eAX>AoJxAZiy{m{ zgP1-L&1Gy2_k9>ud+?wQA=GH7ZHqNeMxQe|O=&eA?R?iwDqc(^*cxhr{+_aiU{_K| zlJq2fOh};4u6QrYpBtPEwg#TCq(yhvjPvWSzgKzym#wz6zZy4B-7FpgAG1zL>`Nuj zV^%yofLwTjgxXkIPckmKo7~TS1E3OH$wN?L$;guHIaYRPCBnJS90K?!*t7-Z2YbZB zTL%9hM^C@^pOtI`f+)0L^Ide*;A70`L?<;|4`v09sK7(*Q9&MVo<1{k>`_^-!%RG> zxkB}j;^fB`|4>GfkqZ5}-fBa!z*;GJ^XberYRk03-M(atE4%OG+`cqDjw7lGSTu!n zySk(V+R_hKu78tevH?h;t%zsfg{PV7ZY_c9NBX)b+KRg@Xl6rB)NvplDc4wxrWHmD`Zy$Ah zodACB*&CrgpLSjEj_x7>w6hJ69*k5_Nxh!xd75-->9F2AIp%rkbaNVeXXGSCLXByx zxaKy>e^R&@B9ye)2`T77-rM~m)B&%LpW$wKcLAyld70PaE3tuxeLA!P{4=XdpIUj` zlLjy(lhVi}@?RdBl-NZJm_Q^;mP&*lMKrNv0Jf~FF_(95?(y?NV(v7^5;z$xXyTzB zMPg86vTX*+-Q;kcX=yw$)o^@;wU}ha-`zK{LCKOH3A^AFYWv(ABHE$u?!!`inc`d` zDneuCW>%UM)%Pcmv=nmqRqilCUO8Q})2dSezh3>VEGmqtgZgAoOjX{!Lw~AN$9njd z&+;|S&?}w|Q`kVUn(oDGi&^#L9~0t$IwQ%RSL9G57~3vC$10{*yz+XHN_4d=)cm-9 zeq2eSJ2aw?qnTNRDWh$YM}6u*MNB{*zSC&%P5=U8VT>&PwX>og@aH;J$JOsB7M4_x zXQWG&AjYu8(Mh6OqL}l^==aO~iIKMD=eAXAUiP;ppE0RfCn^Dq{SE9Wdh6wklh?9k z(WZRfSppM^HjzT&+!`#$d(`7tn`_AK$X>Pc`Q&Lv8qclKnPL4zc^@semF{;=_{Cp|D)6c#A1OW7pP&F=N_wQIQz)O3l0=Z< zY5f=yi))F}kP#sx##VR91Kn8UkX%Y(vJnwMNCqS(CcLn`E~cUygS~ecN`u`s^qq>3 z5CuZT#D-9N>64;HBs(P{CixkIOY%W$p&%=Ftmqq~k{%yG4#rkmsBo-jq&Jt!ok1J5SrM_@!+?(v=x0%9PjhXWaXp?g-M9Y zV~1{anIyU}$3AykT&Ei9JT3o)t7}z8<4bmYZT9sdcI4!1wb%&A%aTTpi_E)lJlCqU z$4OH8%Rvs96!gfd{Z0#k!$@>#`@@p`!=epfo2lrcD2cikS49JgiK=4dwOa~AYF&R| zXlt%__jtV`vk~Q{dds*XGcgKxa+B)f`|i@u;!g&*2<0fJ;Mma}6P>TpX9dG-HmK1-ljuIOCg51{5Li>oD{%pv*+R8VfSvw!L0k`;d`yP<^DZ; z;p_YTb0i^m&q2U{)w!-`hs|)-=%WB|>hkH4Ev~joiS8dTb>y1SzK{P@YgsDFE=xXj z&Zk~4NRw!(Dm1aams{)zE#8e^KHRDiF!AA~>yyg*bGLFU6YcO8B`qHQTUOlDQPjyR z%Q~m#!Cf+VRu26ilQ#no)ELVn$Dp&pnO}p#XRohiy|2&DkjZM@eLtLXY0)djP447hFI(TX zjjY9M?Fhe}kjdIF8ALa#gMwX`?fWH3=pkVV(J~O`f-6u2cZGqg?SNCNPIFlQ5b_%b zNiuUjsBs1m^UDc!Qgh%NwclxGaK>gW$7cRHbr2n;rcUBFzGwo4*)aionbdF-H?my2 zy+m&p#4SJBn^uiuN@Z3$1A-QoAiZS1B#Em&rCppm{<^*Rx~WSEB?jNJ2{44Y+WcmU zc?q^s&~ztl{w#%*69||j`qPYslq|tWtFum)EU!?Ig1`&fVr^Ud`0eb)p{LMar6v{~IfiGhZ@&CHy-GrbN-Zx3_KI>o ziW-aPYFVx6pJ>8(?{pWNVi~1NnGD$I)hgkgj!v=noO!7?iu*B*p&6riU%=>`6V0Z^ zb`p=66|~85NuoVXvgt|v^3OY2ZRn2Fh5EPuO;1mkA6Y}fJ z5dWZ!3GayfNzHz>A1?0lAz`LTyp%`~EBDg#DT8qP;XclC+F@wIcQ@y`upq7$Z-g)bw5HtK^_r`N9q~4 z<7=g}L(0&z6t=^LBT`k4mlPToi8mq`UB2eZ0KbQ!8;2M%PpCLV|=l z(VR*`W)kYvbjG~NAT0=${E@uL(DEOYSe_L_UIrn(e!J0}h0mX#w(RT5uG^EdaF0eH z*}%%^*Vp66^OYtIBePKFF7hf^=Sa7WAQdOs+#|Pg&g!d9<>M~iG$(@>di`|4&udu- zA(OnS`p!dH<=ScuXrO%qavedLvUIA%6Fc+Lc+chRSD8ltMHxOgfPHov zj*OxFZ@(?C3|m^Nk(0ex8zqX7wMIPjMr%RL)Tj_kQ3l=1vce8()$kp9a9G)Fg+0pY zuEthX(8q--d)MIGNeO#zBClJ`26@El#FjeQ!F z3i!SJdaWQ(h%b;D;6_mnk2P^xB8Um(1VI5ve@@y&FvAjUb7)RpxhClt0VT5!`yGE0;J*deZKue!vu$MC7+}HHd+O`KHPo159#HH73y?JRJh0B0Ryc7tB;bn8_0MUq9m z>EMb*UY1DCGgJqGqsa=E8GJi#2=$%SEmy|`IR=l`m9-MgKt%-hl*lWMYJcd6i1!d? zlT{2BG`<>G=HzUpqDT!|aKzzD?Q22`7|D#JJ3}&XM07|RG<&Q;RhaaIkEodHxJj5l zRnwMerR~k14^zQlu&#Bcpo1QnS_@(d;DWh$b>s;XkgwVgkX;VWZ1a`3BrF#h6vXHHvaTv!c=qp#jaV-#e$rzlBQB;-W6gzU2-E)DhV=A7HO6Ji-5h@VG*MDt zicvuY?5m@B7Dv*WgtPwED ze|h=C8@0=%ETVrE^x5*S9wX^`4QYHJN3T-0Vg8BxL-QO(H`pQF7#MOx!|vM{XiQR1 zh??Yi;`odw(Ca>hYYzg7!{U}W9NQ5^4IeWTJ`$dfRXHg^b?O(}8fKJ^oY6Z+c=c~N z00QVm=P%KEsi;lx{W_T({w$<@c2S`XN6Hgm{W;b>+PYOIh4qg;l%e>zXdf#o@CNj| zv8qGPivp^FuR&&K`XWNIMv9EM?sW!N5ZCvgG&kfOYl+nMYHCW#I)CZ%FlP*hAAQ;- zkS?vv&kjif+t9t7)$j!jmutZ2$!*v>Tr2;94=bx#e+|Z?TAyf`#&drEB^#S7a5zKB zYOL@F9Vvj=VZSvle|hJyS`Ke#XMS1R|7^5Sq%J}^|IIKX`jd(Yn!Bhw%kL2-cCWr${?i%O3cpV??OH{5{WW_PajwMcyfP$ot& z%l?REO^?4C3d(%Mt}^Y0I*$+D0d2zgo4`~6>&T~7n{>&t7H;v>>YJgM+13U#T(DYN zxa5~`$VXoV`a;Qadi+P`f?Q#5<$?~s3|3cyC14~?pT6WJ%EnC{dn^&Gt+bh+su$Tn z?Ls1?LG`bgF9)>Gv)%Ov#Ovg$SPI{^;2ysET*quF-}kztkd+l~^hp-nuroAOmNq>) z#Y$RqX{{Fhgybz6w}E-h?N zW{r#_w2Mawd;(B7*Ol`5ty5-@p-lGg=5un5qxf#L88{C3pk5S}B*HH5Tc6rV0)d*9 z(??CKsVLf+mRt3g1h}j(p;?F3_IC>|WfaZ3jVOi<<7#u>V5{5OnLvBT)nGu1J!8=_ zi`Q-IYZwU0+@Oa8xfs|({tF&g?J*wGmT_3ED(++Tty_BJbV~Ei`bpnAzk%v#rcM^u zsP5G?#woncACOVFN4ofrCYHo#trq8<>)b7zTzRBZl&oB>{{u)sx4-A=SLjqW-0O{K ziUH`ognRm6(Tfk(q7Q~i|Io&z z{$)CwSrOdlknE7-K+$t8Z6nd+k`6@lj6?fmLH=AUzo_NAC|NI--wPJkJGd+qKLVMv zuqIsC`o1kWw6R?N5Bm81J2I1fPmzn5|JZqEql#q)C50m#0~K?SCZceZD<`6noNy$DASad8 zE*yo6N@%rLDe<5rCATXmFTb}hD1!683yMcR3_q7@X7(J$yUU4DKzh#+e)$vp zQrv7ae?lQ1O00iSz>$?~2O4lNTKUZ2fP*5pnMyykfrot{RYB#L>_Zm@fzaOj(tZYk z1ePCP48k^JP&}0CnMwM-TP%&5{9_u`83b0rCLRXCiou3UP`yF;IGs=Piuq%7Okt$V z#_uL%$#)9%8f&si5EY7PRo%-2UP7>2)*$&}Ew}I`>=Dkq+;$drOPK{ja^=g>gvVuL zT*KRpj102=19tCCq3X~1#P%9A2W%HmGpV4akLeBGXuvQey%&gFLw$Uht*6>Z{1*S8 zO4bG235g054(VouXn~c<#ANk9|NF$|A_GR5DSrNbubjbqW@Oj)G-G{2{RoEG=?M0C zQa}NXyeo($`EB9)86(J-jl)7zik zUw!`c-`Cf_U%maLP3Rdsqh|=75eNu|lo4?Tk=82!10>G~!Y10#b3M~@g@0KUX$}u~ zHJg9YpT1SI+1qc|*Z&&=0n|GU`ymi-X+Z#yl$cE8;lJ-G^D6OQ|@A?uR7 zbSL^eMUs~TI*6*$$JI@-nk*7Rid$G%NJZ${Lfn5{W`SjP-=$VG1xrZ+^_gqIS%ErZ zS*gR$VDnCymP;lg4~Ol|k_>vukf+DQnWN@Y z&MEE~=Y)WYkN^~y;hZ)M;)C7ajKwYCoH+M{YMfH>Uzh_~3V0(h0*BOL4fq&TINH9+ zf(n8LBZdc6AgFhUTr7$wDnaBD!*REmCjl53DBa6I2-LeWS!Pvt=-n|2K`UB0p=q3o zj_^7H62BTl50xeJt{*l~mLf)t))NUh7@2wVa6g+S(K?Uj3Rc*=dRHti%=J`^KYF!z zSSBiep9-n5Vww$hM{Tgs(efrg5T*Vp*WpS1U}VvZ_$eCza}!wv7bsq*C$3>N|b4n09#o zZcbE__5^!bQYiB5OHrCMQb`jMN`T~Gq|`f~#;OXl9p%#qEbWSs=f+~m>(Xl*iN&RP zwvy~x!T3T4Bs`ZUu{R3wq}@|?^Xa8kKOWd#2V%D_#R`~((#N#=Zle=LGM>n!4f}-bDiat+GZ>Q!;)jVg7EVbm`0H*%8JmSHf zYwEOnF0i%L5=Ve5l)9DBxW^h@0KZ+}J(cdjsIpV(X3?Hzu8?jPH<4}$peLxVrx-2n z-671Lv6=8Fi=TV zm%7bE_La9$`Am9Lx}7fxR^$>;*?&b|r3b2Zj<%);NJBmFN!?6W>*e?B>yJ@#JDuwl zxLQos=KLS6BsMtAQ)vsvouXaOnv!q)l3w%AhT6j$ap6JC(p6y?<|O6~6q$5?vDE@Cv`+)V+Z9GuG! z0O!hFWq_~@S9)(oPsseBirFsJciMs)ANd(bwBIAP$whY7_k2|Y{wzeYl zRGC*42&8vw-GBl?9@w0+nZt>S2ndf6449Gg$Y4NP4F;r`uu0=^{?v#OiJ04oxI&L` z--ct|b@92H&TnR=`&6Viq`RaelEWItN!S98umk?6pF#>1ZKC zVc2yYE%F4)R!56B)0H7f{-*C&i`ipdH?+TnQv2173gEVqjZ8WA#r&L71pRe%V0+-! z@gWhw9{3QHqAGmI<{|s4+K7A-`{6@2UlOjiG4ed+{p8xBP*FsI;rl3xniz{=H9)B^ zokhXX`QZE7NX*~}OJ`AFG~S=mSugwANX*%Anp_=}$B6=aU5&a8i^Rh7uAWWRPp2*V!-0>)2`;itY{*a`Qi*0!mOy|LZJ(%W{Mx>#9t64<5=LzQBDvL1DkV(fQp z<;flN@~UJU*mk*5Rr1%xZ+gPXmpnZ&fHI`EAAX%-PN)S+Lfbg-oZ8CJ)(CQw<;)@5 z{g<3#p$R=~XABiO70~`%{gHm$py}+l=wrdJf=|{odilq03-{Xs9EFk4+ynxaCE zW?M=Uh-!WgIbcn3iF@C7vRa0{amd}sFsYDXYaLO&45JoBSZtNYdMd&dnZG1-V`fYI1sMD1f+0PEWt@`?-0~Y~=DHN^aFq5_}9uNP4e^z4552H`4e>+YGpZ z;cX~44=HRz>AlV1KkQv=j}upu{wvvUyQ?HR_X}Sl7?KFRK_CVttCgiy+ua5$9(!ba z0=&O|PhSRlJbgKIwcS;Qe2BnfdhAn|^HkMSRb!2z3@W1xjtJNFHQxF6%YV&-r8s(#wN}`QO%Sz|$uTnj<(JuP@nkl;-EH6P zlA9lv;ox<$1x9Ldc-|3Q8rKi}LHsO7~r zNbzvDe^wNa?mu8!b(p?Sc3J)7=|+%lhS)l1oOEt9{nnYtL4u0M5pbro^xxCf)hd$cseqJDYOj!Ju}#)9-ND~RK&!V_Iq}C zeihtLo2_MH1Y6SrXlz^xB9*lE#7+hc*#;(dUfmsDEy?C~I9Gzkm6iOHJ-=!YyM`N( zuDjYn_G3jH-Dm1U?7a6gH-ayM-uv8f{J~@kn=k|JFgn3*W5WegaR-Xwrfe&pWs4E4 zTmn^7Z~|>AWr$pyUc)g0m+RQ$R7dgnV^r$1HdM-&0SC%9P+IZ!if6w4bbH^pP$aiD ztHUZ;=NYaHfEtC=_%oXMvr9+)I$39jLxZDPGPpSi=%ptVfwW&9ZIq3QEs2dKbRO_= zV_sYjW`l7o?xUlp`yl>hP5U3^N^&b(ieV<89gVoUCbg#cdI@B-s^fV}a*l{Hk?`>PL|YzMgBB_~j@jJe)DT>HV-yHt@_X?pE%uKzB9GezBl zXe|E+#|7ZRXS22nuw!`**mdM!^BVBgli4gkq3}i5tDp_L{7CkHAGWu%*~|Mf@DIP{ z#oqO%(1C_RZ}~wA6MVW3FBh4l>(#$MW990@HyYog+Hi5RR;9Mp{&u@xeMwC5FF!l3 z9OnW^O8!ah>AxmWk}#KsUqE(cnZk`4oL!O5;_u3h8rsZRSBF{*0IVJ5@ziElE?wxI z+B`^|6{AsX&)KEn$4yCB&PFI(Xa`hgB_g+D6HsPg@nQ^R&M%QP8&vmJGIAC?Y7foX z2vG;vMJw&_yXZIJAd`J-*ufbv?vV9FWB%vIVMnFbuXo{#Z1470+q(_OD;omTjr`d~ zp1kSEM+h2tJ=)8~^!~3+3OQ6C8IVn@%SqZCL2w2PA?mq7|Ko80@wLFeOzMB}-cN5A zZ-Vz;ZL)_iUTrsr>|_0%Eg?f@YMk-%W#MxAA_gFJy@%~$KQe0 z2aY%p?4KVTSspp(4L82$81TK71jak{sxUcxZ&l>55DYY!4#FtsW8i!+W7GyUMz6(@ z@B#?(Crcz+7ui}rwO4MTZgM^XQU-H39n<*pEpeJGXai-(BYTFY*5_`NAx449P_330 zKRK%pWe9RW*~J#kF`$fgKQacV9?G_Lh5$~E^vgiBJhfkT48LEFpw)0OLR&DHSL2za zpTZD8%zS>&?7709h5I^^Bo`wz>VjF4UJ{t}(x=Z7h@2=zh8kn&B(qQ*wi>?EP6v|5jlZ-#5NboleleMm!-L(9=4izZg#puEr4jYmEPOs<`Jp~&yk#q)i2 ztX!}VQ6vS1{8)1$pK5+-S$?M ze_brX$1NYbdzLKzzS@RkDt}a8cfDLgl)w_0EF5{G(9VquXYlu2M%*Z4FtVXHiew%? zA-nfRA(tMP{31HvH3q0JWn`BTW)(Knm?T0HNxwV~Cx58!!l$=QT5Lvu_EJN&*b)d> z+qdCxbK=!kOMl-qK42RTD;v)ux8X1`2$o0}*%5-@AVvrmzy_gMigFQP2|USeVZ(b z^B83_hfsom_2kd4CS~8;9zKPW+TZU_ZBl>{0KSJ#bP!5KLe0r9mi8qb+yD`N@0Jcz zw)sBT(h>f$N`tK5Wba-avYUN%!+^GPRP*Ozw{x)hknJ2oX^S75l`P*wX+$p;+s*Uj zkTl7Dl))%a9+`5H1F$DO(oKld{#<1rUM*V}Q&*Aa@CBFZIMk@VM8^#5BK!6%#6M5d zbob?k5zv-2RG*OuYu0d|Cl*1*)Beu$_Yfj-|Z33i1vF%37TlAzU@XR!jz-^>Te&oG9+ z{@N9j+5~8V-&9O$I04MpDekVYDaKy=#GRXxY+oi?O&$6QiND^iSBp4(?E1`auDnzrKFI{g8(Z`w<0Bp((X5R<;??#)rhpFSnc3VY>^V@@jwB zeWDX88?Er$cnFhgN7N$ruFb(Qn3wg~`n+6~8eV<)acV-UDq6*m8jTdzQUV{#k8zRGgpHk!@R8<4*@%bsQ6a z&gZQW$qC}mm!I-B%e!I_{|Q1+>m+`7+H2a-Fm!-vzsz>;vZw2J+uiE${)UW!JB#1I zd&Lc07mcM@JD)GVCIX$$lR+|fLgVkn?UT6&78Qq>co21X*X!i){!Nw!SHC#COm1(> zW#tr%J-BxK45zkG#$&8uIwSB0haI7eM@*tTPblN8#Xn)A*BN$2q-S%6r*VUe(Y;_* zKtOG?T`^5LoacK?6D@HsB>i-S@2aGp$j0C8ws*I;Map)QzeK~py&#aW?G^WYf|zFf zqS~248gC+p?xD8ut~%<8Ed1&7m;Vz!V-h0SB>(PIOx#A+-%v&}U4_$$A{oglwj5~- zN+zgi)-9;~b~J2AGQsh)JLBdHB)~G~R1=saQ;|z$3CI9g6&-8FLpCT6AeoW$5kxXU zNwe<%o^69$BI5llfx<^$6Mq7%Zl1k~Uvfsp%>D=u*zB`HNt=!ySYni_zQevibk(PS zo9%8^n`C{R?eZ_N|LIM3v(1O=ZZ;(uwIZwj^mM)6et3F&o4+yJg^yBv&VpO@**MZi zo73}G7mw_#N~|94cAG3cwy<=NN9CMA$5bKenh(l1-#1AcSYhP$NZ9%B`C?|XS^gcv zM_sQDhX*9{&v~>TeofzHKd(1MAL5H`IP$~Y{@HrF_`7!XC1u-Bc=jW=8vL^o>7#^t zx$^7iU(|f{Am7RrfnmQfMm`4?8QYEgUs*7;^-tkDrFV;hn)=9gT{(L1$abA;D~dGQ zu5-iOv~u{TG)3C(99lR;VY{+{oZe%*dXVI;CXy@fv)!)J=E%1DNA@nsn@DbNLyQz_ z$d51Kg*$;ITLNU;xCnEuVTL?$gee$-DS~|w=6r$(Q?k!C4h$^q{3`-WYX*TI!8v|| z>kBOBtiW$vkstzCe4DIPASJ() zQo#Z`EoCGim+C=4PAUSW(zfFB0?7F6EI!YNxff{!e%0=~yB9zX=K1e#X(QMCO@4Pb zU)u}lyvq{~hjH>NhQl~D%n$jr>&htEz)jh4TzPb`_3Tfto6~4ntRb`=rugLs-5EJX;<1 zFE)p4w@KDbqF9We>9VfsL!7o&1RAq?fd@J4tYfqHQ~T-a=o@`?HUe@EuL74_gtIjG z2lB?b=M0FTCw9-K8ghGZiId40mpu_zeys{CXG<1WP z%oDNnwHSz+C(vT;@sCi6@x&v5WVk0b5`S_o5?}z4@??n(<05wyBUk9<2$&hJ&|Y3j zLSu;qF%Mb>BQ1~ITTCFKu^a(4!xI`-2>j7tAK+M$gUwbs5`d%J+!=JaeK+26j1;s6 zZZwxxOZ=^xkvM9^A7mp|2oVZMBi zzNL8o{b(y*A*27zcH8_~slAj>y4r58SO2a*O*7*&J6FCWm{s34yzfg_m%L9tl?;>e z#X;Oh>j>ce-YW!1pg;c=;#lOdPke=3hm&6%g4W(74QUs_M#+i;Zx6=_3=-;5VZq4p zNt}$FV~POIUoE%0b|oGI%WG(y>J)*#y(kPM7*$4zGnzz%dY$~!Sfvzf1URpu{61$R z*~kPmnKqhtUXut^`%uOh>=7u+@GNrY6l#<~jy&RpBg2BaYV{+01e~lTRD)&YkYfCP znbXdMd&BYLjQrW9V}6~iv%{gGn^W)+ptFGD4R0cQGcbE*PA&`XedO+$$-zZc&Uw2n zpVeO05qt#vtbj;EF~-PObp)qIBT&ihw$UZJe?Q;H){t~X-}Y+pbuvVYPeZ(?(nyg zM|kBim?KcH%!RoauS`1Cthl0~)jgb5ArO$T71x%2Mnh1`H7o9Dw8Ql2utdPS4u=^@ zlEkdTk{T;R3C{3mF=BKWL0e)t%*ap!KfI7cIT=bQMk3AJtI#9hWw=5s0$Zmd6`D3) zjvi?|rCLWy0yw;{OA>SLq9l>e_Z!s5uY@Bo$*C8oki*)NDg3$V;|)L6;~NB^x;8b% z)LZJk=laVx>1#Ep-qt)ImNmcQv&C4}@{am^SXnhHM0a-T)D3=qLcA=RDTRFsU4730Yt+weJ_eBPz;q&ku(zg8#mWVP6C7Rlm$_J6DNOU!GCUIOA>3akG%$+l++S8)ZbME~Sp4ug z@_NCtiD}sNk|);a>Nc>DbAsJ`%IFKAk!Wi3X_T=Vf7@-}u^V7fCgRwu`s8TG?iv32 zeDARXBZTv7yJZUhoP@ah(*TPiV-(|u$w076DGeGRB%dr7Wn(7wGw8(tWj#Op! z#T2{^ZDejOfwr-D!ij-yOr3&oVzP4+POPWDSVS0d;e%riKMTE^U1FiZLnOOI4rP~A z#`Kt7k`5D@A;2z)yQwVg5`}X_wt4puPAo7KIS=7P53?4}>5+mO2`9FTkVSxSGE9D+ zMamB|F0kZEKVA};85K)*u)y*1{bYxE2ID%|C5Y=VjLYR^x!TzsswxQ@NX)KQ)<^m;6fjuY9=C+ zYA98^3p7tuCI}~L={KR4gSrV}Ce5_KpQdb8WMKGl3MN`O(MaA10VfR%0j74+F0!6J zrEXtmhvL+mjvpEe)X!hsKmP#^Dfdd;JCksXhtGl-bl?}TAi@FR_W6A{=aJL0F*DUX z5O1HIsTPi%0I{L>*nv2F0&SNB)}iEehu>D~CeY%6==;H{+58LUzvs9lkhZ3G7-Q{K z)!FQqU-IP6Y*u7B0UOz-=5H}PzX(6 z8ht$3I{`*blaRfgKQq}|3nTDTSo`jugj^LxxJc&k)H#U`1A|hz;>g~vb)rTe*}F2P zM`Z8(=!b~R%L}j+Y8)*smBi1{iePpp!06*F%x*ud6ff1q1n3D-?v$1~(mi3alSX#^ z9N0xPF}r@K4Y`Y90nEFaSk4#-c{5BB-sA5jiY467fniY0bV2pyJ{iKePdtQi@7*9F zD;_yQ5;K~cceU@ML~}}V{F6I-82581i7bwB@9bqW?zK`EGf8*eHCX`vji+Kqtzs#&GC0iMalpeDNHq3P-|oG^YSBQKpUFt*j0-t5zQ%~ z`LLE)t-Z#t+I=@`N)DMDPGE;bJi8R_Bh}NvscCtg-MaUvRb{Hr>aRJrW zl-dG$Z8d?cVl1;EgAN-${ocg6gfSZy!-PyAz>UM)8G?QB!wfB!%!QcdkO4;#f2TQA zy5RYxbU0XXI$i6L?nju`GsGW$+>S4xlS=ah_lsL|*$Z^3a6&c^g#BiYg zQii`~z^G(uA8if(F4Q*FUIIgslTgu|C7|1VK6(j^1kUfHJ&O#(kj@fZLgD|pX9;@d z@#E}XJqIG}3G`eN2z7gp9SE+^&s6i$<1Y@yA(kZ&e@~X>@g{O=9Db(S5(vtt9U|jx zdhGf)248w%RU(V~~^hgGbGKg_{43i9h z;XCT4l8kgQz%VE9-&FlHAIX5B3*xylK}H(Cwe;RA)XEEnc>-(kV%SxZK^t%=j*>B4 zNc;?tUbCULz};{exj_(9?9+Cw@RPHvpo?0k7#m}_j%+Z;kKZ_gjqk(k%tRKn@RF+} z|4yzNgIr~}Q~1XdMA{>8Gx@~vl%UWy(NegV{FLOXVVo2rIDuINeJGB10dSNkPLP;T z)~3g&zNpctXdh0OVq92k^L?V}BW(Hea&ML;8ybJyyPu$I0j7r<~~0#EJ*enb-I zcLXq8m}-!Wk&M8M$6nP3BJ=aBey~=u10AJ6*y&)Tw3m|j5kO2nS>i|P$o;vP60GgD zZvh1B-w3%x+KVZf3)bcWQ5i3SNsXz)OcZ=$rNUka4uLJt)?x(A7+v{eBmFz!G+ zLng?GKwnhcy&`E-v6PPt5;0jzBi}>iJ3cmj7#n{Hz))|l9RW|%>fA{USt>j*0{zOhus_{f460Uu4f z^kJFDpQ37?<|8#U7C7@XA9D#4qNOHRxUh=Agy`O5hc=a;ogrv7fqh%O$4-tWWi5d$ zPu%^gfjE590X_jZnoFt0X{zih#{_?%WoT{Wz{;Jm{hNJepbOc%L|0HZ7z9LRKrrCpQEmGR2buUMI`U4|%;gtrR6ZS~N640Or*cbZS73;qJY{F0an zTE-$%e;A9#7Ptof6zm7fIE&*2|`lc}v*4eVk#0Tm(~XymR10!nSC zSL)&Mh-Fsb&r|l@lNK6>oV!FEj-5b>toPWdMF^HN0%O7>{SGitm}-bjkO6@);E^%_ z;`51pKbMj&tZ}CW>x1&F;Y2Th`Qv~veFC>`E{g2nfQbFuAUlLV61YfujSUz+OkixD z0I9T_+2Ek@0xf1k5LskzIey6HfHB8pIV7P7w9`b;92_w2Ks-do3LUvBhk%{X4o$)V zmE6*?Zx2b=ly&@EqaM=pM@TIzeSV+`9Csi%A#e zMybb&bNq$LHa$)-mSU73;E>~BQUZ)aCd+v#B?u65+qC+Wys4pVK&1(+k&D!7+TdSV zfj^(yF+(PS0{=75kg>`UaOl0rgdD=wOyJMN_8vPBX`i1UsCi@p9KWNV1JU@zj$X%( z*2K>loCAUSq+?~QRt~>O^m(E=xtfAD5`T&%o?JEmPOgfQy7l-2jb38|h8PnVn^*X^ zoOY9|=HD2(%2a)As4XQI+1vNKEJ@p{t#fE(VvfXC{<;pgn6=2S_#pWQe!9QT*30Ub z7D9M59w5NF)C?1w()bhIM`CLvn9Nfkysq=H^l1e5HKY@WOm*bk1ti|H)fP!`?1ts# zO*PSjl#Ch;Z$X^dHB5e%adLjMNqEpWY^v)nV}o3yWgdTLQp|O?fNn=bc-;+^DUXcN zFh%CA26=L}A9!Wl6tkpko_|CyIvJxun3c1*923ihVW0tacF9TiAXm{mnep zq0deB`9qQ2uQv{+dQQ6!A{|fprK@S}#hM-mqi#=>GB=s?0LE_j0X!)*X*fEsLki3F zkW;E!r||;fX-4B!>6goi$^eLXcKnPKm?up((@84J=Jv@QNQdtLf?we$CJKizJGsj) zdDuv!h_uV}e9cQTAZ_o}P$%azV{=j&qiGni~wB2N9c%@)j%47eE7xm9A4?k3-D*q9<1?~MNKi!N9uq5SDUlNVwuE6_G!K< zp5n#t+5K|W7M0}Cq_J7T684twpU>lUc9y2AXT!%)gzB*JKeE;Gd|ouIUKzkFA8zOW zXr!VuylEw?K52Q8e?D&Yck@d6%@k$jZc~GC5jGEC0DTXeBZop*Z)}eGE=UnB7a#}b zjAP)K5-a3?i@3EZg(i4|nbMielY?xjis%t+DIv)JoUT)UfQj4)C2L7I^}l3ohot4e zaDJ+hIg$wJe>t)9Qk!73i3nnn*p7(vF)htaNfR_JC4#!0s8aq@lDkLWY^u%SjJ}Z+ zTXMiXZpLQFls5R-j4iDv?Rrd+Vh9TE9GfB~DGT7XcNlDjfa~dv2D`l9E(gjjcOiSv zkYWfJHcvXiM$$<6KNY{5CdCjisveUjl`wJuO)6n-p$}Eef0tm*@n8rTu)hwDhty`r ze|n>V%f%2djj-WzC5#`D%ccLy*JAlN29ZlL50u$z>U$_X39QPr)njWmV+of(b5iFoMBVnk~fqdx7r(%mQyEul2NM%#lSRr zYD$lr{5Zkkrs8BRd#|PWl^tLDv)$J0$1G|BiG+mXAGdhB{7`&qWjf zvTS7OFbwU9dSmI-cR^zR2jQA>e{zIAuG7i=xw35A^ALY$WX$0bj-(QS17L;sW#$Ap zEzl)1AHLV-NQt>1Q2=W(yHv=;x|@o^A~^Sdcw^^@dYFa@ZduUx8QCYmE~Dck`=vMV z{vI1LBjRypG|TZJVaYE05tuR(dW^{uIXjuj5;7u| zIjD~jRUQ6&)+rK&uuG~hE1?r)C1c=)n~o6M5ditjP2@a)J#O~Y9STfTUI}$4k^!u* zG;=v9kn+s6D!e=2bxsKat!L zGMqf1?1&|y4AJ0A8&XGbnxVwWZZkG5;BawqzUzq!Aurf6gT1brcSz=f;rf zGhkPlC-~!W5`9H1#~66b-eD22X!ge5sqX@3{-^(4xg>+G%^CxXRzmu3PdiT(2;hy8 zohw^V)XOV6?n)@9;=V%2a%|${F2CK|b0|JGCIL4;h=7|r5pWg40RvuqOu);Hg{KhZ z{^MPykFtwPMQAJWqiJse8I zJMxGgg(Bqt>@X|0 z0(oe>K!uUzR1IGPwvl;(zf`7OUzjOi%hJ7~OC7?sM{H^ACPI8FTi6))fEegJV@Tl* zEy!y@*wb7DaFE68pt&f_Eq7=5Sd|f`glU?pjKWa>RT(pHNW8AKP6|uQ(YcdH5g)Tv zWfC5etO}j#%66Hu2b-6!{+%SP+jy z5L=g=>iJqmmLpoGt_=0b$dvWi#NeaLsA{Q9-Gsy}n`nJfq}Do~fUY z$!`YqN)yTtqJWBp*F4Z=DkJD{!0|V6O)OEZS8ziA)@^iOMFFOaBAa&I28DCzC6g zh03s}$wk0`u@4)ec|}L-#75};qt7m6mXm!#sx&cDk(z|7~!{ge^Hi1_bu`w$)l%v+9)@aSWw0Sw8t!v|s@0cy%NE-eT_{4X)v z*VtlUV(}_!Y+C9n0IO%NvBkhNBdi)*ga`|O@nlhBi-DPezdbHmMm(%$zU~@Z44uvp zVEaUbDB`D6V~c_L%^<{VV~K47^1YTZkHuNBtrOCVgWR zgcu5-eW~j}XJd{Ba4iTi8h}gct53|JaL>`}6I=yQDz>Xn%%J`KzrpJhPBIX-vjn{~ zCO!fnLjUjmiP{%?X3$pr*HP>diu!NM%*CD=G?xji*b~VBrkq(6duG5y#a}{|mXQiz z^r=;`X9nEKGj*}YO@5MD_T>8H47(I98NCZ1Z)$=e5vsJ1BjG>1)l=BBY8Ztug~dRqN}w#YBNM7H;sMMB?kiX( z&<37k7c4Qh9sNKho2;?%eL8=i6*u}6miITG+v3>tMQ_LV`2!_i4@^gzu`F^pOJZAd zpZF|4l(SXWIv~4P%pY&stG_9MAL!0)b~;cQ*+pKSUry%1<)p;2k89$yJf9cmi`E+{ z;HTIuIN&l;_>v}<>n#})BaEV?@@hY}CRKm^v+;GZd0bNcmvC02q8mxm{r6xlTzB zbczYfM)MF1ehfcQu)$}_vWI)(1HJl@ES}QLbeswNI59`S^W@AjEu8W^%h%T0u3z=B z?I5!O4w6C7F%teOy7?Tl0U~7ZIYz{Ck&?&fI6zv&i#Vf^&Tk`!n=#6)05i ztNvc3JadZdC6D|ULeFKMd2pE(7XDWq%Gdsv`C?IijJEAOSqeW%5+A~z(uPjq% zeR1=mN3Adt{jdMYvV~ej9;g)-mfRCx=Z@yk)pS;KM}_0u(VOh^d|j-5-rfBkCtv0d z`Uq~9dGS47>8~n=TDBf`I%z}*!GUb?X&i!hsKvr7H;xWmOagrt6)E^eN%QAbA#ZEwuDMM z-6-y*&MDc;apxN+*0O1CrXnYi(+xY@Yn3$wmmEPiJ@f^ar8>z@dV66xY|dt>L!cLAKP^{NE?k}=cG0*2oT$B&rESLI`-Jg;3OF=J*yo}B-F3}a? z`t$L#t8&GVO(dLMNY*zCIX;1 zck49<_w7!n*S=}9#33&PHOJ6|)T;E9IAYfN!{qbDfHfn| zssAm&hHwd*S&keof$D^JcOFMqTrvNvPew(D!nRh5o{maR8QvVI044$$A}%sAkV|R` zpA(Rq=7#{e$jSW*5`g6jv{zag` z43e`K_h9djHjHDvFJ%91J=dOU|F`#qrWx!m;bN!lo+MJ13m+!;hwTv!HBG&pI-*g@ zA*hQ=og^rcIwg$+CL{-GWL^I1)<|Tbkz~L{97GZvcAb@)2K)}@Sv#8mP33@r9iij_ z^o3Pw_pkZ|9@bfvIk$-n7-3S@9Enneo6jFJd0NejpYLuzetdVm$bOVV0?OG7R}bYX zsA_J-pFbb7trYaP=TCW_HQSUq60!b2Mzf^Dl$MH@rOgL+e=&2)^ko$JUzf8IFK~57 zw|GCzSH)AjnE#`)iSN!9i{Qr@=(sJ;NuTjs)U5K#C zxje9PF5G0Ozd8vGWzfwmb_V#v=Lh{RFEg!ymDeoh-=2doYduZ7N_2gCnmEZ=Vd?)U z<8HzN17ah6goWKBW?j?;2lTm$c%PfsHc-lKRy@NhcX#>})2F1^Mp7=)rIxFACf8sC zg2Dt$#(fCNw)84X@<~)TOzpraf81^)@i7PED0|x7VYYWKUgQ)&E5__}+fyIRM&^6M zu$0+BSW4zpc~C+H5+j@RH$EZ#t^N>3sT2wkf%oo!5F_eyqymYlEs!-98nPC{kTvCE z0I2@h{)cB>$QlDC#ztgqPwSmdSNUI>Hx&cfQDC;2E9r7rsBN&yB1JT4mNq9qy*lZn zha!#wDO(tVCJrV2`4luAG3n9Lx1?N89wc=L-eaSIkAZ-l9to6yw=~5=dQe# zq=zD983Fqmqw%8vwyqs;!v$3s2e7fRD^=lRk^qNDRj}<=kSW!m^K?zCTrE_oX(zaCo=x|# z=>$7r+7zn*M(cK`{^E#ur^@MosefDJ^ZQXTmPm^QMV#xhN3{ zWTK!20xAMSKob}Onz$jLM5;ho;3i)WL_!bo^@NfAj_|)O*TqeiYJ*X4*gn2}*8YAKlH750fVx_&)?(5X)g-YFiS+0uY$-J)l7iK(wg%H*~-jNA#JM|uK z$~F{*U=`AoElyt%+#lO#st7s_&7e$$B0`Hok2LW$eJu1~SfR(wjWWgUx*I09z&+ij z61a2XB-{Nd$EPA*AZ~Yx?f#V002XnZ>U8oLyVX;dDXW7IEW7=ZEf!Zl?(Y7#tRG-@ zt=^T{PyNru_N)3oCjM`@k{+ijkZ$BY6JW}iUiCZy%6ZWHqNE9vduy%X5%Ztp+gCM| zM+DT(5 z3S~`>~ z5rAVbq)xGEhR@`wQ!+aU-bvhiyEuW`M+_t{zYRv%Tn5|q9li#7Gt+dV!2&&(C6bec zX3Dl7*4If1GiXQT+oS}$i$VgJ#@FWwX24wf)wazmfdlF8><~OO#qSB_Xb#xEmG5s+ zH*Vj`-6+*caJz|*UTg3Xv+z@EfLAJj{g+*3&>1wP9=QRYAtVD?rqZEV!0ACy6KPC# zXZs5Z4au&4x|0Mc^1o%bQ$IZ4jlvKk{tp~B>Bq=qUyy#p`60!inVSSL3Y^`U9E06C zla7xA%nzR1qj>t!;pM7#lS221!E#+E~er!;cqYuCr|F<$A{EV9+Qy!UM~eK8p4 z`}~2DuZP(_AsS*uE{Dpf{{+D5P_v@^6sxv_jNk`J81x`*2X}gFVvf=FIa96+v|7qg z%e?p=uk=^XXz`H@k>vhY9?RFhdPqO&T(4-8_G|#1;ZU7X0gN;>1Xjt&FdJkudV=@I zX_*=1nM-Yk5y2a&2al?L-i-{osJ^RZ$Q2q@hPCcf{iF2zeVZV)2dU)OCP-_FBG2MT z?x!G4??JY&-<^kS8iQB*LoJ`y`e2I}HG7rKP*Mi1E)tP45Q+Rfo)_24)$jT?&L0<9 zZTZ(N@=2}R+}h=%@C!w|SU&03_?2zcqFVpwf3=8VGk>Riv%gx+t8&!YB3l(DKHB(M zDVOC_0dOxAi^xuXQi)0BcTvvbSagMDscG;dwh&tMLaC}hv=dR(3CjkDYN(Ohxsy;P zYPWl%6xcB~>bks?9z>THPH8^n%{1R<&DmJK+xf%it=(&rsC7u*u0c(&M1R{YjFEaS z>kAWx_DonwbVqqUa~fH$CBppAifk$CDRkD!u_@~WMp?&hBA3`Q{0Kw|t%H0AB^1dq zlu+`ptDh;91~*!7`%pA@Q{iGdjum5Ao|Hq)tZ8%(x?BgNBkQt`QiC2mlR*cTj2Wbs zlVt3J)Wi*|WlYMG(kWn?XVR%WKZbu~f`;uMGwA-j(b~YK^IQ@I;ZnAupt-n+Ss;cA^uRdq3de?_~S?C^@Q2bD5++jug{l&)2#MiQ^TN#Rtq@~!n zF{EfDQ;5cWJ}^jCeB)gPdR(&XE7@P8a%P%;My0U2kX; zB@j?+0+MAc@yAo~_*66}!eWtcynX%Hu3V~DE8^k_;(E9c{%>n4U;AU0ef?d(X8gI0 zmY2Q2#LWJsgPI5RE)likHF|2Aa_Ca}amQ@#v-eHuj&usHxupJc_jT;`VR^B<*Kt94 zM6E$~4jfp*a5Km*W1;4s?81t%RFzF^K3B^pTYbwq;pJJqzekI`B>QJSp25g6mUv8d zen{#UZyLQV__>YCo6i88Kx4mX=>l-M6DokE=@>|w_Ev(bu4p2Z0buC(F71by< zM>@r;vC?0$Xcb%j?dksNLFa7Qy8gUr%dd)hKgLeTx%-5)z4Ya9H3YI8nm)P3w*ZWC zAR>Egz-Y!mfYFRPc?dzVos*wBUV5Jue|}kIaauDCTIBr#Aan_tn(Gi;LMA~27+qm1 zX64WY@;1e+#HH1J@bx1Xi}gGmuI43#41*xwuSlr}iX@3$&*9{rs3Z4)j$Irz_n0LI zwf&@So<&)1Y4AWH^s7GZOHm*U*8~jhZHO=m+NTHvot|LjQ-p(08Q29xB=Wyey649C zwM8A}#@lxDczlir;X|XHqx9c$bURUjfE%~RoW7CZ=rCvjb0=saQpkTV+TGkC5O6#| ze{%=kw%_kJbhue@B||QI3uJuPCbth z9hG5VI?A)fV{)54q$PTPlO@^wTlR6eYO_Wd2npexg_+e^=s(od4n`~WyI#bffA!YZ zW&H9jZlzs4GUF^`(aXnngH-+dG|TgC<*)j1T`y8YtxYA;UMkx(GVK1Y;g7(3s3fEQ z>z@VcB(P~n;HjZb5{YO$)JaAGAdz;clfb}vAaAJC&ec$x*#q@u*tr>^aw_%3zyev_ z3*>e$eo@%g-;yuObhNxIG9%Ee~%U6eslm z*}JyhwvjCTTXr7@?FQ>!<(Glu#M$g59V1Gou~;nvilP!BvgFmJ)0x5i_u)-8B^8TD zRis(vo_=UJ5=DvUR^PdcS=AbL;J#Ge%W-zej;T0+k|;vXi zUQ1fBSfwR3ET+d{Z3rxC!d{5Sg!1W>H{q|nvJn6T+h5xi3R4XEKY16XfgU8J6c?c! zQaQ4HwEDlT*5A_gO`L33YhAbifiqQFEu^Sk#GcF1!51E=V*x1+-qs&p%5>d^%K*k~|!vJKrnJhG?c5nwC4RRa+$+BC9 za@17qqq$gpn#Zjg3 zcsR>A1$HzHnZIn9&Cf}%D}0%qaPn~a1sdQB@d4)}!D0C@F9p+an~qU1kxHzf0a7${ zU`>1g);N-|4r(tY({UVuSu(NJR$_*60J-lL$?O8KI!h)|Fkm#OWENw2bHMtTrmw)E zhOCZlB8VzinzBH~={L(J^&!HI1#k(Jk5-fR2{f@lR_8gEflTr+NTv@+lR(!mc`2Da zBTcLGoS*=fAGb)R4@i?>6|N6N`$U?U&uqFy7-4}dlrl)B4@i@6U?*QNNRtkZG>HT* za`aa=nGZ-abArMRX|g_%CZf^`X;KtO!2LryUB}vi@ZpVD@eszU7idHb8n0<=aw}z z#_u;}#_f&qT}~2XQUa?p2DhJj(AJ8p%OouZkCvo3<~!I4 zYfzm!+l$9J{nq-S6<6aEAFsMur~ki8m&p$o&QKKyXGZBZe~h(W2~$UAkopNlE0V1b z&M5h?H+y|J4dr-dspgUcPAb-PS^coG8@!;n@;@Yx-^Gc@GW}b`Ci!^)2n{|GB4N==tBmh;x(wVTb-p%DRVXqfyylz?x zqD)REfRMaya?t+%jpNZX3~FHzc=kd64ML7GN^h)T6Kb_8&ShTtv3&=5ni{~B>|xQ> zW|S^wH57KTTs1>(2~{?BoJS~tJmL}Cv?sGNrEMVl2kb%wXECn4nRaAyr#!{=!CyYx zz50QY`H|PFVn)z$V49ti@g z*Yrql^^7;Up@ANDmP(Bx5y)Xz4Q70|TWsf<4wbRAjfT6iBj8u)h`YzSSdxD8zyDXg zmSC0{#~CXlKl$(c_~SmUec(j-^tzhb4a(yP19Rve>7|Zu)J-dgI!~vwi5=TQsc&gB zr!jM5oQLMro~JU9H&@?zm1Fvm>@wUuEEXQTbI}W@7y5C69)irjh=VgN?tmL%!ok1mYJT#fysc z!`t*roct)xK&=!Uxk`2sqq+sKi5OwT{O`R4AY4;v<1<9KID`Q$5QIB%-Ol@b5H4n+ z)QG&E&j0J}Xt$odKFslJ*h}4woFMhOV=E&kkpCrCaQrZFEk^v);0Ian>GWKqGF|$R ze#ySFp&n$?LA4@x>>T1GV$UHUHgPOj91JcbRz*>qAnLyX1i=MI*U3k?V9QgC!zsva zHExLy#w{aaFcf{6F4Aq4tGT+@wVEc8J57meMFQd6|I8*FdL@qT%0SR7H!)8Oy@(Px z3|-QNZgSryPSRiRr*Uq;HFD5_Uqd3tuGEZ-z`Y-XD_2XcbK;oia;|mel+Zv*a>3b! zL>h?t@9e@O>#6iVTU^y>jONQP`w9&m%N_liI)WlU9d`Xr%2-Zo#f2RYL==enfx8Qn z4j`>_cVR|Y703|*!(XPt!lCe21GajAU#XY@;1}uArm-lL<7}@_*I(1*+q>0rzFny^ZAs>Oc|LFZXqsBIUx7)_r?)%hnJ_M4{(Xm&4)$!>hnkVnf zq9|${zw>&rn#7Co`1}_2t$5eI5nAe7nki$mPRep390Rm;2#6m)ozq zyGar!U(?U?=^sB&C;zej{vi{Pd}8FRaA@9S-r_u76oA-88fX+qnJL&1q$c0aUqirW zPi+XQ{T+TAf`%cFsbgE0dB`KPYnc;*29o%LE0f6$^jDdl{!~@U|B)Sy%4Eux4Ky*8 z%V2tl;mV|fR36xKr2DlK`t&K_j7+tfN2?Z|$x zeBFDE0}X0SU1tNHIjB)4Jq&8(l4Ji*myhc>r^#}=UM+N-aBNeetgaCGQ{L>B#ayE6 z)pYN(m7dXyU1s?nyrSAmnPsZI`hK^qUzt06938&%@PQ`#mVbyLtKn=?67}5FZRR*7 z<6L!9ybpC#Q2-0Zj#0sFN_dFg#<8cw-7>~;c$9Pr`*g0@qIbvq_8;Ugt9v26l3A^p#ile_Ci}E2_$lB9HcvQ1nBL9 zbSGAOgtI>aXq<(W#?D-!ca6kPSsE)22jPY)<09&PSadSAqc3LupSTTC%j_rh8nxs$ zRzpNo1u{3@EU}IQx*!s311Chp#4{R)BqGQ1tzl}qW%R@~-6E1WFcdl3P44E~>($*| z#tI$hI{=YPIgUUQkqThCn6Z>wM2>Co;8Jd8UCLeQi>8!&W~B`X<3ON)l_dFXwf>f_ zZ{lRTTK_2jq2r|U7dXUUlNb-dE@1m0G&x1+Llx2b@TG@l#M!_R&k`&~u(io(A# zIAxEhFs8sWWN1@%))|7FCkyv|hF}`Z0xYu*fs2M*bx3%tLn4&$)c)|fU8kD{cDDH= zkOPJ~ww4MK(LnkVfB*|z1av;Yn#4UuUWw%XSDduBF$(0kl;w%q7=;~^LTJ{4v@r_g znxPoFjnR&Q6hqsvh6Z7yblU_3uw!-u)r}n10f9+!Q0M4+Y*SL7b?2$t0DBw-cHM8& z-s6}TaPQx+>v2SGJ&slz7X@V$xHZLR<#P0A+LbFQd)zuxE(NV>^qK08=AO0Rm@`%zp^nImAlP6Hygh&gr~3yD$au`TKYl9gD&a&>tSaws|$^#^}Te`tuv9N{ZI zuKdit<^aN$<0!IM_0;eWmZcNCC33QN$RENBZEfYDdd1j6{7|S{d>8U~#k{UN9t#K5Uc3GFR z9*_T0yp{d@_xHJ`Je0E8a7qE^@(nHa=F}VO0zEkeh+6?7 z#Yh+@gFzE~a19g(mhpM23EXu@bf21##OJsM$;3_*BniVcXx0SoLvUO{Lpi>B1>ALk z8ptakjis#39>M5qx>&sWV?6#xlzl6rH|iq$BP#!Qz5lEHkMe(Z=0C^?1>!avbmOc^ znf>U7j3^Erck;8go%KdXV3VV_HpX%1HO$5|?l3jjm=Ecf`DVNRF&@8*ldtn-_V}aK zZ2LW4XMYt3cA7o+UxqYB5;#-cVKpO{f zlGt$&@gxz@I7WW4wB(=g9~ztZ*K>Np`y6$KZmIuHqRF`troo;N6>M{Ea_wl$s+!^_ z4~~p(xykizz0RKFQ@YMcSYLK>{dV-`W#;H`%5H8V8eOnRq6-wE7Z>U#l9{7(b(KBE zjbijwhmH{u>5Lf(>N+Ilm0_q zla@-?sxXk2PAs()7LV##mqX|cZYrCWrfm!77R;QKO;7A}Msb*N^c1AZp4~*u*xtB# zTSOxXrZB@dG)^t|-!{$Rl8z1|sn2H4pA)v*S7Qm2y~VoPjMBxd24_!3dm%oJtd>_w zLISX5M_kh%Ti{Vo4ZV1FJDJbo+d0z+9azdD|Lbr~*3>l_=4wp`FT;{V0$shqy@duA zf;T|eMr|Vds9SnY)NN+TKk9$c3v@E2bR50gKAG~!u*MGt@$4y;MZp(tol;pAJ)cgg zEIw{$bt%IBJNPEQPnk;oIttTO0n;B6)l*ldfxUxPrhRzz z`pxL$hyNLme;vL0kg@OrU9by`E+~p9L5x#*fiU4RA`w;>6cb7q&VJ=Z_AAk6qaQzD zsR^aZe;qd*%gR*B*uk+}#qaEnWp&Q69NXDw&i&VT6aQSd4EBnQpQ0>VQW^R&YZ_b7 zRW>ZKu-Vzw-?pp!@i?c#=swOLKmYT3x7n`ls{K|SMp3B(&j0lG`1Q7EbFc%FVdcNy z+7uaAj!tVIk#R-^Y<%XBO43MB$BN9B!LBs6q9_Nt=AL4>*wszzv7l)}&%kgKt3{EL zNno$8j~Ws8yXstVD~hTB1{<0V;@H)#0YIvWc>V=O91&P9$V=67^o@+FHA$^Bi<2mj z;#ot{PweWj*cSbylP-#Wrl*}3hN7P-wt{J#(ttI`(T`~vq-TZFxCo##vXP)3Iucw+ z|1(mJ1a-_nwawwjHWU>I`Csp1a3m%@I}+CYa)oaIFImbjCsq|p0)=*M-Oq}QwEcD-8Y2@Y6tVf3?{!?p^Tl<(+wteo{4Qf+yi8ZS&8t7Q*|AYXSbqKo=M3}7 zG`V0H@e3Ly_+mm8znG$QA`*--iRnK}dtR)8tgRj?WjX#MyY=0{%NBwm3H3kQVhY?% zOt`+Iz+F`se150NKtVW30;o!Ytw))-E`zTz_jo-@flz+}>_;i=fnB*s?&3WYRwRzz zLKmBAGEPjT-4ufCzpyP`V(Jj;%F?M`d+G+VhbjWjnhQV)T|LWglrWjvjgn9-kSS~C z2Cu}iQK-8HuS_i?x!08TCa;2ZshtvW;I2zgUBJX~*H3>9mU;9s)dVYLqZc@tSOqH; z2QJd}Nc;3hp`$zBU89~^|ITUFvsX6$!keQplVNUJT1D#8JH z3HiORvqyQqOmE|Le5Ye%2XoWwytJ4Xry>g6V?Veu0Q%;pjy~5@_RSTcOzXC}{L`tO z^3VXH9aoF{WRxzaIm-W#Ch7e5^met@A^fT9a19#OcwW#V`=UC_X}LK0W)Xj>xGIY> z?&3b#Z`^OoDc+heIzjaKz2hT|PAG~h&K3`MaF62C4@ss6mPe=8>yOI1^I>;DLZdLg z`u@|t2gnx(ox%6t%SXSxdc(vARHR4^KOIO1FI=@!I1rCOvJu(I#;E8}B-u-w-;=Ma z&9=#o93LJ!c>(7ur$oq88$yl&^05uc`1+sK%ld;N(!9MlKMWHwW2c4QO^IhKrXnQ# zUog;CI5~Cg4{9l#+#}Hg=ktc3O*Lnwl2bl&2|#>zkvz z*J2D0l9V#NHY?zTWQQ#k=%QZ#7fL-a1k*h~g}Y4^nb>$vvdEFcA#7-c8EnVZ4xSn880+uQpTU;E0V+QB$fb_E0QzX@ zQdk9JJr6y~(yr;q3~ohiK&n>fV0o2ZiWqwMZ5 zh2e52eff}?kKfZbtLxR>{UXhuT6Zua=Ncwe+M(+5oXEvve!Tkl>*(|7*X!$7qmd1X z1#~>ua3sFkY*xuU^YZct-XooFsFkY>?~G*eP{umh6j zrf@3(XEd6ltvyIFrO<6s!%A^R zqEg3+8NCIIcm(YD9g@s@Pef}U9OoEPf_tJY=KkA<`#b>m+j5pY!Zv*wZ(|LC9ml6r z-jmzGB?&)d&pL>1qMqohfV=329&yvq>CHOX$GQ(uV1)BJMtVx&_b>kY)%C~Ezg)e0 z_4$|gA3xu`|Mi!b7W5VrI2d^Fb(qavw#-xu0By4EL6!v*wb&+>IQmKJ;4xW@wH-bK z)t*UZ;IaUMIg6eyl_~@ei`F0n$G{~54dm_%!R52ayf+&Sb?3~4EudxReb7|ZTO~ag z;j;ol3>@Uti*aueA&Ddnl;lm}dJc|uHd*MNNR0!S;o4v^co%zC`k*NhQ842Ba(BO& zCz;3BG#i(LEl-5vwm=Yn>pn7C%!gVf4r>vATO@^WOMUR&Hsj1 zw`@*KWwW;X&LHMYhIRWB({6v(F3V|rfW=(GmO81#oDPw{;3z~4WW%2$JZKM-=2;Rr?HH>@;fCJ{u*ayxf1sD`WRclVKd>yn{eGBV7PwbT&q6zpp1) zXYeYmk%P7IPIQShV~_ugTp~4T-wjv5J3>cN3GfD;+0NMUksr7lpMC}W;?zV6joSyN0k&>7v*FxuzE)YKHWKTy~9E$t0xZ|tr4RF zuXY+Y0k=`hkN7Z#02`Z*W0_T928YYhp{Uy2?(o{fIqH_ReJLBrj_0B+dOHPJz@1Wldd0v2M&@cN3 z4+zyRALoPz4(#Syxm`m->py#D^025}=L3#E=CR}gMt-3td7!>c`M1-vmlyy3{N~mBH%~84{{3jUgNh+Zt^>_W`gbxG zH?T$x-6+eH#n>}iBzZ+pNogTbx4$wmN3P+dsZ4Azw!%X&_9`b8c`a~@?6liW_n6y> zFw#eniQ?{Nl{fqFP$)ahu@;I^%MK0R@U5ql!u`HsacgIPfxLd|{it|nV}%&*yL03P zc0Yq17xDz`l!olXlpKF?dDW6WFOWjc>tE2eEg}0J?YB>xbOeQV1}@2%oZ#);W;ufv zv@%}urkn**DU-npwO>sc8(uChPgeD2qx!37m+LRp*H_o;dUai0wcz|y`SPIs-+rf_ zb;?0E0VC%<)HjujC;G{Uv)5PBzCvh9ia z{l30x1l}FHe?_-e1F(Ac45kJltL#3`KTgE`*Y&rntN(5|y*vPI4ZVKBGfM&MERjQKZa3Ta zU2^0W!^YY9=Zo{#r)P&Cos5jca1ZGgoRMA)`-?GVaGZ033Fyhy+gJY z-ZJ8YiQ7p#_h9J#M;tjjKRa!rh*bxGZjAsR-Q9!u=G(ezdl8q&X*8WkEVT``7I-v~ z`;$1svv`ar(FO^(jJ8~E?-nkR{)0r6qS)y9YrEb&d%48Zc%(er=Ey(K2CaP23R#wR zG?aGQiVz#`>f3empWAAoS`AQn_PcGiLl#4wb^MLZKmsF$GZldy(5cTlCTlf-LLMn7 zyJ+~=j@~tJSGS#7Su3PiwnXJ4mpsf`H?>yYmOO;PMZOQ^q!0Ep>6SJ7hO0+aAcSGFNWx&v@NYpo08H#^Y5xa0<;}K zOpg+vlYk)!nC7rZ5ly5yat3a)ojghxvqL+yd1H+1&?qgy#{r}_OG#~%@#4*Ob^tX^ zW3DsG0pVq>Hh2nXqkK4u&^)x+d7RMv;8X-tX2U|WV_BCrDk~Aw#&;H_lbbJJtM%pV zsy#-#0R(m00c}Ab?*NKA z?J#~2q<<-Om_tHz!(#pg>0TORcRy3nH~{x+vxv@};=>K%h29Nz>yWh4A+*;zc7Zt> zdkE+$AIq?nV`=3uI>%$s)NWW!O=Y(;4c`1$L%;~_ku_-|LK_oB$c-LC`(fQ3bcFT- z&QA1c4$o9NH<*bSBy3px?5Y*mAvE*9C<=8Z1Fg9N0x{D4OcjW85>d|R3&cYR=FzKl z)+qiuqch@;UnUI75By-+hO<=VS?g5>D=!&N&Z(n`hs^-rp=g+sh z7IQx2%MddEp~0RN@j76Sv*>@5?5uL zlz^efUfPz5yA#qjsR(<>CXclxaFM6`My{MEC->N=&PW#ol_E>t^0)Q$5jmHt<&TRJ zqYybN{!^s|p_Y+bl&OSTR#r&$vBc#hipyCA{+`Q{e#^+wJ2L&29k2kwn$2@rY<2=1 zKfRbEH(890dCdHWX}V-xg{%)#$-0~cxJ>$pTp?@2;}Y2_Bf#qlo35#l^<$dp8mrt9 zl#i?7%EzOy+5<1^2w*j`z)Z#JbOeREYPkCHD6CEb4%+rj)>O#SGtp#?ZN7T^L&lcS zd+q6t%YGHoU92M&#$HHv_*?S<*SGaHcC-OpDndhMKb#^$*he9`U_Xmz*y=MCi-QvK z^!2cKhO9u-u{Z_(4;@Ut%~!oHL~a2KUo@RZ<2D`O|n z%X+<8iL(8Jx4_%Cj13SpBFU9?>vH1n^#&ZJSOh%8q(>>NSDL@W8zw9kNKH&6EWCta zMjV|TR)E>+J|4GTV_NiWWP_y3yOu_XTKmnwOiQ%T`@4(n;t;gG=ihDal@`cp zJt}G8ed6C{ZXUju-;Yoij!!T8R<1!P`Y$@@N%{5XiQ^n>K_!opW zpM4)OTH|v)fKqP$?cU1F0kv|_z+qG7TDfMgm4kNtqeb7#S2L{~2dCwigKDHerUO^N z>@;WzcRheqrdh&m8`&*FyY&X*ntdRK7T^TPHe>;rNVY{Kpc?|<^3rhUa#RA^ATTa3 zdAcZ~gyRT(%3@iv6i=uuq7|@m3|O#O_8s_`zF-l9=fBMf7%h1E0Adv2GJbk>bu+Kl z^~cNA`dfANrv7rXYO}K}OG_;vo&YM4lca0iP2lKW9KT!)5H$SWDOj6zR@$^Fjs4<% z2-P9LX925@d*4E)ri-KnOgi=+9yDqI%{;wHLfPX1U58%FVTW27jcAGL|m)nBc>D5EMopFNFhDH=dHd(bF z>i(gaX9uAjk40W+p0(y2jSMT|U4(vHUDfM#%k-Yn1IT8RN1$|+e|X+#o}LV+loL_h zfB(I>e{pm7S=~i`qX*E>Zl^tlukkyj)e%q{DWJ(HZNrfS=m9kJ2m#tDC%`lZ)Eq3m z8cqcn!%{s-p&7XBOqmoq6$KmoeoBXX`{yzY7BRObAvQc(XkHBJWI|_ zH&N&qXl%J#n;WE)c;l_HJPjHSylR#^jk%BgHAo-J0taJRnlha6T0|GHm&*ePW@0Y; z#J`yh+W6fb$lyE%j$JPs2i?P|~Ss*X+jEGG%(7GUCYffJPc1&x>UJ2MDu*chrn?LL8 zwuQ9DA&`gBBaXgp_+n2}XPQG~&RYRTsA0;%vpgE&yaO7( zIZ5Cy9(&~R5KD7B#Q7MHWbdr;jwg+i09(-AfOY39=dm|L63wAE7nGN;Av{wF9PS4y zcr&;C?2Ylr3nD~kZs0`5fM>~Aq_QPrZ16`TzL5Hs zD$r&DMv?dRdW&WYthuCVAw$ZV_&;d5q;jWw(6o2_-8h?i`HRb|HYt{oW`@1Genw#c@u+ygMpl%xC&X#rF!BF^hOECM7YA%afuRP;{@EmhDF~B zse6f{uW^Qd!UjZ`XHD0H%)ieAH|tecLjzT)h~@|$H>OqIMxM*aE(*NGx)^ATPTrcp z-!0wCTb?ckZ-Y9Py2A`vlq7oHYyj^3W)c~?oscu+o-!gQq_@yD4V(~e!?$GRozMyC zZ9bZtsWYAu*h#pV3bjMdkdA30JEV8_%Y0bVxKBvTm5_m`zI_3A&eZGRm4FF~F2>H0QkROcUI+ODt#hUx z2XBCDayYwl=2&q{1+F_9N8}tSafu{?_X64!K!mYdkBJbD{#eE*<~(JtPg!mce$G_p z1|{H5Lf^Z#U@CKi2CkCkR2l1TvMsPRUMdb-0nR5_=w0wE@ovVk*%P_kAzom$FHr+1 zWT3T|bpU2s*o|6%WB~Oq7f6ExRsS+t0XK^Q{mTXN6dPIpGTI}UxmxgCQ|4o^{BHq4 zTbDJ`;y~59j1rD*!{k}ba$%W|8Q6grfN<#~+jIygCE$Q=PlvchDqyk>aWcSVWgH7T zb%jKgC@D_&GvnDOi^J+f3z`v@{3ocUE(t&$4 zx$ctX{Ry9=fU_w;gppF03gM*qoB4qVvsAi4smR~a5AM8Mh19-8o%f)$fMY;CFP&99 zwQo>1@sGpBrn^;0`AgJv4=T7L5fN6gyuB7w7I59JH!|=nKL)J?)NvrT2CI158iLkd z9>Q(-Vvny8*&2ejT6}xLDxS86pd}O_fVKv!v3J;LYz;vN&A;vo(-4}ats&?nU_V^B z>3$#O_%+=d^136Lxw4w41U6dnU#r#8ZL^x^`Qc!U7vH$BnrU8PoZ@fu?_?}e>XI?m zAIos7)jW&6ruhMT+V;f+gO#~dF(JvnuVf9=60enDD}}`dgA}?%v7r&*^7Vq@X>r56lSg=<|rlIE~AEDa992Fu@X4sQ+{Y>k(S$WegD3`k_2!q;X2?#Ob7*kWZb zQ3J>Y`HQ=)Wh#5UI-2&o@((szdCffEHUXgPD39d^Q5QYvty!!yaa%Y7PgL_`7pp0?qOC zHU#KlAdaOohcz`2RUCo?Hi87umSu1By=&w8eH-RKqnsmoq)k>ZvN+(vuJXD(AGLrem^ zy08b$BULU{;LQSzI6#DX+8UD9{7VXOTZ3n6Ye*)-O6LNI%v1X&2W$^BX|1&&8<^S} zQj&k}!v?1EH*3d#>=M*;56D%qR89A641ebypy?ivrUtU6dp5v>@BAOP!15AXLrlj% zM}~IZ19E)>Rp&i>;0iO=&m8g$8`(3LjsV;{k3B+R`JsGexkAFSo-b>se6ee zgNgP?4zStGQ+_akMJPmk*h#1hz&1 zd!fzYj5LuDHHVu=4tQ5Zz%$3Q@@s?PZ{X``V&;;`cgiNFjlkm{tOGF9%CF6ee+{Cm zYL-iO-U+K_P63apaAs_U%qXZB>vZPt`tM?Fg;cp@jI~Fzv%BKyX>eZ4^)ysSWlKie z0Nlo|DU4-TSXE1fYxew)DfLPOrlPh9wftMbz2G9nEg87xXq*f)o<(!- zfCf|kZk!oX?@}S`1OM6Vz5p>}TGRE>@-K$LZ4EP|_NB5l_>|<|shKggH3a4Phv2fU zVTM$`RJMlAHD~s`-9UTs$EvOt-5uc>cA3DgVQG!g#(1B@uSlPrf4(?>eR_5X)Dd_V zml4!0K+mz2$UqKs643tv*&OCfZ4Mz@Q31J=%Uo>^(Ex{67{!Wq24fe=l85DZf52A~ z)NMeQ{Jt#0a6 z$FB3G@|46J`47Bxb>kMu5jU!CTv9+Y-_-9~69`(R!vdLTn3Rc-HJSgEMJHXE&bB3I z_|tX!aDA+ZstyZHR#{KMJvLooN5 z|JvEUqU8eX^CeOYDGIn;-Wes3m0+?cA;BOCYsM{*6=9-gTmvwFdwL;(SRh>xR0%{j zR^ay29JWHMY=8L*OPyOZ?xna%Zy+Nc~0Aqe#j{{ZOmJAh>S3a=V4RiP!Cdk@Oq@(G{0)<^ zV(*gW&9-DB@ZJhb+VZ?koJd#Evmx`>u^`Fi6w5=zslk;0ZkO)HCcOVnRa z%_AVsUEbMMbBgEr;pCtzBAIsFok9v+s*Zbd7I@g1NoS`8Tg~(AaB^9|Vxpc_u+yTv zrO8W($B8^JB{7y zK-3EM0oX{J{K4yZ>v)=YlaB&4TDkk{G}g;Y)&2F^@E@2cr51*%nKuOmv_dj$^EktE zNpA{Pz&e+{q{5W6?cjPpPg+=;#~|e_QJW{4ELU<_Yl|2+?zM~dsfI9tgM-|2rVlxDU-J$j$JlJ)PYD=i*-6Wi!?G&J#r~% z{xwEWbJ#*IQQDT3fb&1l-r3zUP=39$ ztQ>!hR!TA))+j=iWMu33CmB86Ggn%(J7xDQJ1L7_3#o-enifV*EpiZW8mLSEI_xbr zBK@0_fSpdApfX*+kh9}2c{@SnxqWP-#zebpe5uSkoy^Tj@TxrLdD<1S@&X3^O0w2t ztqMf4wm~-WUkzUvP4!s20!<4os|0+rreth`>t3$g5oeLs1*fQ(n+4Pp`n(ICr*|PY z*$4k@7uI9R5Dj* z!#{T@cY6cRg}M!}K-1Xd;r4C4+Qx_vxOc~n_N*qKt{IR$w0PAfD^skb&uHHxq z1#9>ugE}%fvM`| zSvmgwcW6mBmqyekEa_%1VLMj2q??gin5?9mGjRToqZrPm@wCZGx=|@BV5q$lRFXS~yb>H}nO1Q_O#EX4 zJPDp*buJOi(OCX<-EtB02c=Op!z-T`8Ya6@+h~mAJ&bid&Vd}x0>s_pPqMm#>dwq8P>FkO6&ny~s z2;NzMOfKVH4*@OHr4 z!&Bn@qWMWr*Ee6r;lH%5p^~|%k|VqzrMV>+WaxvR(;ns9&58}=MR~1XP;qhyXh0|r(eHrvXo~x zZFZEU!b2Q(5StE&&Ep|9%6R@cN(1p-JOAY7%hzgsIlHQ#pS0m@@HnTvu%VoC4GVM2 z`=|Hbzv!2TAn!fQZ8b6S@9V23^?r7_{!+Dt>ZKbXRO=s@rv@UcYzyM*$$wpcySn=C z2Jl1R)*3kB#kDTF3>FK+(S7$FDgy{2J_uU0A8OL~aJAS*f_eRX~Q)(E52p>-GI~ zMlJcCFd2EHfCg&`SC$)sqp=3)(VU#G{nl--kUN5j ztlJI9mOpt5Qq3!#hmIR$gMh{1MPvsQ!Sow#H-KmU<>PI<_*h+it2=@*wuWp+#oQ@i zjGhwn4$HS!$a`=^mT%*G0;+8HVYvlXja(J1cNL#e;)9PuG+YPV z*lWl{+Sp~_R0vmGk#d+0SKv}ArqKbtCV157;0>_h&y~ekg-pa^Z#;h%Lo;WMRK!%7 zvyVU_!8O0r*kbU=`JIo6fA6CZo6%d=MnyX)DKVrSZi5ucRIxdz#Q%zKDQp<5B&I63 z1uLNbQ$!Yd6PXU#p!q*_rC5MGh)fm>GH`h)S6rFu-;f>uc5+_<%?wuw9u(XrNrp`! zOio%ra$%4fm@2v0aF{)VyXxu&t8|I#>M;P#cfg z10LB}wvJ{JtoechLj`w)9rm;o6~b8o7rL@X7`tn958*L_N7i0+F6}HbSQEX1*$CJS z(p`0T$eP+-)qPl4y%lYYaHSojQ_?jU{yP%-NP#g)&^>I4;e#)}Np6!|9+ePJMA z=fFoDJ+wMI(WbP(v*2ru2Ig)&Q;EQ{;A@Q)Fb-a#E6;+jHBP`rq~6dwe8HD8^co41 z7A0#|BJ{v?)&Tq+emZW+oLM0QHctr10@hg_{QR*39? znBgO`W=v#;Z&1##O5Eh(q9aluJt$OZwu`{q&P;JlCA~Z$u3iC82u_YGAmdA=37H8q zKCglhG2COyPRQaWmF?X&a)f_H2!t@QsZWQn13E3)BaGeWGwxu4^+7B5J|KbCYipb~bgC{Y8-XW&Ag$(2Ssu9>NV3ks-=ClAbp0!7AdOB&6~7Oa3Hn7wc# zN6D!iSE2c;v5yg@w=QE1uOq*8Au9fC?y9t9q*kV?w1o^@SH)96WNZPGNI*m-W!9?$ zSEi-4%~dbev7DlOu{;wcmN({NA+?MSxOvu*oiYOEn!3stGoH6t zow`2(DV3~qp4H+8R{@6>yU04n9$}>-YfAh<1&tC_{^z_xmXMGUVnSZaYl-tc^`B9t>ntzpI z%k6r-`BSXgFwb~Cn_cWM9eg&2zze-_z?RQU7qK~`6#wq?=Ce<)7jLV}JKTN-cQF8Q zchX|WKx|?XErSa+s8~C)M@5zUmSR3-DBaJ8yF&!Z#Qp z_JgzQ{_ezt7GDI4L*4=a+Ge67P2CtUB=be zEmlM_&fV{PIvN6(TKba`I3?Lrb#K=B;`#GeO?LhMpX>R%dbz4^ z|2Vn%cD*J2MYa09ZsmGkjT69kpLRw2K?93-vTd6+c9w}KVEZJyp0UIZ*HGb_4gbB3 zO@w%Lb8_?L>s7tU0$bzs61h^|X`a1;9E;Q>(1 zSYr1u5mhsSPW)rV=Cj|{^`CE=&#ZoLbFeIbQgmhg(BWeF7e%KjxWNCE%I33Q*6WKu zR&}*#{v7L8jAwX^cdM>~Pg}kA1Lr#mKT%JfpFaEW^5yBfC(VcW`Vh$PPnod}9HsnZ ziCyPEa()t`fOA1Gj@ME+p0$w2u~j<em77of+6Jw`b9k?Xt!*}1 z8Q)Ii4`;8>&Oe2jF}NW56F(o|_!- zD8OY~dK-}ov#8$2qy#K>>h^U7g*@OyYzaIs>9&jbx&^pn*VWgyDszwKi#bU{CHVyzNuF)s`>h6)fOsrY1aBds94yx7Ga>- zbkP7F_|KHU3Zy}U`>-PyNK*#ZIi?mC#oAraL#VlbQPl3599s(s8&9vk&VQ~&w_y$L ze7D96ZHX+R*#IpCQ&YLGf)sRxXY(i(r0n)5R@syLeSN*yyp8Ybd42g;{q|+CnokqiWO5c?STd4Ir(WrO zBdH*U-$j@<{Bh}wrfHIUWr0gG7&BW^$BhK)SX^J7@k5}q%(mkhxFPC zxcb@8WIKe$CStM&u3nvz$sJ3)f(2{mQI~l6%@0J-wp(J@Va2m^X>-H(fybjoVa%dA zL}BO@VBJKPBt}kVQIXg{&ssAku_&EvH1KFDOBN&jyJRf3mcP-Uhs8ta;PF`OfNiZw zS-f2;vk}I-M)=!m{%6~uW^ibAOw$baCJ1SUcXQi`sy>^T1#r6~LOZ5n*<=CNfO}X> zAeNh?u~#fthmhE6C0AxRrefI|`6M1zEEAL10e6M6Br#L1Y=eNCQavOdRx1;eI0gZc z_%Tx1bCt?A3t5WYO>IA{RHmi2Qx0bS;uxPjQ>E;TmQj&=S1(r8-*-Q~4c{T;@-9#e z*$#2m3+63TaqPShCuq5g=Z6r;G+jIwfe5ptEmJw{5^x9F)U+*V1_C)u*2VJ*n0|z>0&uZsvS2UEZ6cDvAURw#9m1^R76Qt;t;ajvPER7ibFQyNi4}v z5w+q!3sP9U6|t8gXjX6eXn@HEV;)PgR74l}TPjLhDdT`EgokBv@G|NYJ$<`4gg~b0 z+a(?N=XBd3{IR$setzn-n)J>K9Ntqcl(zmnF7<-1SoTDFz?_AUcx>=Mn6PoGT|a+PjN=C}1~8#Auw z_4XcJ+X?NEz_PgmY$Da19dH8?*L)-)cQ22;C4bWvaWcsLzFuz+!neZ?K0@5VXG;{U zbCU81e!5<6!}IfMU9}*bkvHnBCt7@yvk~$fo?O+{s%vR`23MBb862nxoU@RG@A<}@ zb#r^U5zEi&=8yPdwfXoKsDBd7ho}uhbc8i1D!+7ckr|E&2Ws z=I|@hXXl?U&R?IN9Rjrj&WA99x((>k84b|hc6y+lkrzXntmWk9`nsNP14^}?|Ir41 z-?2bQ0035kR!x*VvqS4SW|Xu$^P{ zcTxMqzW@RV*2rvTgkYWa9nPFd4eo4J$SO5aXDjGz_;dPalgJ}hx0BDk@@W#Wv2cI(49!(M76*CNINr!pBq-3Bza zJwX0Gn)_Sq{G-Xs#pS<$d;e{}WF12JnG|J@52`Oy-Ac`t1Dd^ojb9J-{#>tX0R+o|z#gk#7thoA98_=Z|0Sh5wqY{$VZ2WumRlUBir#}7KHt#a;8$N_2G9(+4 z!sY-IdrHG4$Q-G$sU(O~ImjS%Tb{lV+SR=N@O4qG>sHwN1`|P0uB*;V#q0^|s?JCLDdT;s@%`oX@827ZZ4l3Jbaq4tCo3mg zgv}1j2T;~jvjf3p0qNo+6bMpWQz;OyqmUT=oz^FR)bl^z++1I-Z&q(_{;pSD^j-`g zubrhis~f!WGK$yTlwM#9*F=#cSSih~2bBJJxp;eh`k(pLx7*9V>hr&^>(%Wamu-3D zVgOm~ERn1ZKFhEM-+yFxoo|7xTRSR#M*)jpe@3_sU!?omWFj#gl9to&f=Ru_0A_14 zsTWm{XA0?Lb&X>+mEefl3URc9lko-C(@qpWq7yK=c+!BnuHSrHSFJ;JHPZf}lOh7w z?{CgL3Le);XEhm*BXD6f$2BT-KoXcJ;f@cEZyyJLO9ki&`J1$WDaB6yBGoY!f0Ir^ zvTHbhOBLrS`Rf$_8qvG@s;+JeLIUZQAzCjH(*3y+Av^}{rdfhF;*GkSCN#|DPvnbL zwZZm!y}G$-!xmZXbe@XHIS8rXKZ3}}l^#??&PKq}*Pq|L7nfIU0%M7^4QQfQFIy*M z8Vg)~TmDo@W>tO5!3v2VaJ=W7@s65*4C#9eu@-2m$1sa|3`;AmqCyHeqLo(7@5}P% zF34td?NhqqIg;?XtoJFpJAmeN!8Q60c z?1YO7xetQK3D^9-q!i}A>)`j_W?#04b(?IurLGy(05aGUnJl7qNys|+`wHi$o7JE7 z>P0nQ->m+*`#~G#V4r8#J{g*{qe(g(Fi7WZfSG(FRgZqtr3N)5zoUX#%2wzfQRMRX z>+0(LKiBg=RyWs||F;d_cd)-$-F$iZ^_yvf-}b~70N3xv0|~weMoal3+_^Bi6p024 zzK#V2M2f^%=wQ#(vE)&)TVwm!RI%Im{iQO3`3#nRBl9^)(IVf2_S;o`+ktVP(-RVy z9gPVwS}nj)RGfN<8r#n%iV;o;IMWUB-A996qf3RbcE{kmj|N%!r1ITIXEiVkPc19n z*Xyn~&LGX4nkX@GPRh7@zsWutWF?fyWFOuA?FQKlM#^9+273in!JNS@**d2L*X$pf zU>Y9EGYiomHwRG7EJW`$f7#pBbu!3-CaSKJ4@t(s^S3v*>o?73R=>BwYag}Ewin_7 zmq10I6o1LkMO%vSM(FUr8{VotDJrr~-e54D(Ys z?7fE{m=AjfDMo8y7&9g{fnW~XAW|00)j^!LnSYz3AT=CTGZRUT7>sny>>f48G&PT- z<1d-J55!63sS+m=*BO+0^7MckuiWm1LR@UT(h6p1Y;6i(L^*6n3)(uHc=Txdr*~sNt}Q zn|Rp)_pWf|F;f|wgOL$|yLlXj@K20ZFwPM;f6kQ1fvFB|zLlYa3q*E;h@6xGZUW(| ziUV@})xIkJe(un?UpamL?0-&AEMi}Md>&kq7Th-dh)h?I1N_rSVXFD?H zmcNy#MDm2KJyV4b3*Cx5C7ZjPhN+~6AJ@4a7E}#X!%S5~!n!VqRD^Y&|BT2c4BVY- z>RuC+kn-28$Hu4^OO#gv=@F1(sL`gZBv4BjL*vfg#h z$WE8DL&n>Y(`6T=q|5DbIG42WgmKv2dv{qAxrA%!V#S2I;o+t>rhF|12&Cj4J3x2? z+^WDfA`A0Qc$@fpC%Q^Lxl}Elu;k;t0CQ{?s1;HMlYx3aD9D{2ViSXpHwa~__uv&NAHfHd^_lzZx zkusNz$SLwq*g8Q)R(Z)l&A@GJ9GN;}DrX~fPdQ6aOBLNIL3IN51{QLJSxL@Lm?OmI z2cmHWU&I|7R{?d~i&ZtRPj0T)tDCDfY>{VhohJe}X<(+nm9!;|H6dw}4*X3DcNaF^ z*I%lye>6X*4PNB^Go7jMbrI&anG#>vF4j5r0vZv*LGe#_OVyb<*0DQsmmwv^KV$$Y zjg-Dr>xEOcj(;5&h%vJGNQkk3$+lwP7;ss{pdmRYA(Jb8Zr(Yv3Q6zg&DrrUJodYJ z=SX=>@8-=JxU`OG0y0M`WTFHlE93Zk77Dm7kgAvrS1Z7Lv-#|k28Z+O`fatUzO>;x zz(Qdvh`r-KNdYxXFObc5BExi6asQaf1B}Bq>fb@Eg90I}4nz3;kK?Mhf6f26xm_3Z z@TZ&ApC2!)%{TSxMKxdlf9|gRw~ZW0|0{$2=?=Kb@l|~6Z%*Qw32rhmlH4p7mqXAG zD$$NC`6M|HEcSmtwxo&KiRiT1Es?ApV3XLgoBe&oV!c?kS|3#$gYDv$9~rqS`juU_ zolbda8$17CuU6}0{&hRpbUqHYIL&xrLj^13biAhwr5$TEpXgMihkii?Nb)PY^|ZzJ zPDOj4IX&Q1r1C_75B0N?OY_BcyPns#Tf6ybzBraEu_HUCNqQQH88xI3neMdnv+EnX z-mI3@);?Lx9l|eW0S#>j7Xk#1!_#C=3}XZ51SXg1-{C}&Ly%V7h6#wOb5w>xg!D_`$3>LI8(GvJpCh&!NndEDFOa=v_b zz;5@z9VSr^>h&+(U68rDd+4`MdTHOyH{12+xM%eyu`~U>hdodnt~Z;VEW|8LNzc#| zjCe~UdV<9@oArp*X@5Q$?9!i;uFg4)?!RsP`uuLgdtGqlFLpGwcHMnA7C=rZc-u(| zG4%o$n<|=K?i9BdR#VE`gnKMU!{;f=sP*|B$D9_N8ok+Sxoy`UMy-*H`_HD-820X= z7?_^pn;W;p=;aCSWrXEFlb0Y*)BtTF13iKoVQF)~@8_QZ-2I=$w& zS*;eE577(k^(yp8+rD{o*}k*?ebZK3>wWp|i}7z^`pE}R9`+HO z(ekiZ-L{vXZtQw)myP|!LH>BX`eTG-m|p8L>092@Ecs(?uiZDU=U3|wuP$TP$%)_E zR!Bb>aqzgtF0{IB=c_jQVB*9t9isbNnmOrx-b+FPA=xd^Sx5c?vvc&F9`&oksF-|# zuimY%$8Bid>mTGaX>JCwTc5v^HP6i{02EWt?%P} zxmdkhEu)txiLYvu?=~J5oI!ekOTWuBs2-5htg`)h9lbimJ(?x)9i3^6%guZgdfIQ& zEBEo@toE_?8(a$THQ^zOJbE8*XV)WkiS{jqLv_lu@^`y&mSTJomvckESKJ@B#9nz! z)WUpI8<=k^Ok=lhuB-KS)2ywHCRh+neS=0$zQ}g57_&tL6}<`vUjqte9=yUKe%G5f z7dJPHd9y3Q>2gEXeKGn49PwTTH9H+7oRR1kY52y@cnNSoZajP+9lrg@t!2G^ZkM-x zPw{Q@5tj5l+kX0NKYn(<k&^;%eOu8w9l&^9yT?%2QEF?pL5mIeBDonpFzohqkp3=D}VapU!A**YoY? zUu?D5zVE)iu0F@F*ZAu-)0aAYwcLG`Wb|@-H9~L_9q~ow{;9F|T~!`EdHm{YUGds} z+CE#}+-^r{3F#-mL@#HYg;_3@e@Bw_!Y9)#&@;h*awq9HrK@}G3!oR!BM*;9o!yC$ zTKE>B@?YTaI+?$K;eK2i{J6ApIUZcd*WJc&;nOyT8dqKGpk{ zWRA@F+O`+Xp8%6j2k(79&Ec+<-2R&itlEEne>VHb?7tHIUJ(Ros)w~N%a@=-;s3V; zF}c695W$eNxiAFGn9{eyNQM}~pyU)I1Dh-7OOOuR2?&&&k_1XWhUyx# zlGB9fVPiY;WyntNu4Y7#;Hq#_ThJ4@s~IuW^*Jt_p~D4Qq)N_E!wNSPgv6}mjDphb z1fgw!AYGHv2~va+R=6)Ds?ZLiqALCrQbaL6tovfV4Ao(0h?mch1O~%KYbwI?WJtC= z$k5)CeJDc>RaVV%p-6FRhHav3DN?izQY51+g^nVfOZrYTB}>n*nnU5_5sCncw-q#} zFmMuRz6|NmCPH9sYYyN~Oe>P0I+VTBs(4F5gL`h_ww!50?hxg1mO@qxNlr!KQMrm# zL5H<`9Vewxg+~;sLkAn2I!^T)=oU#3g#1+$I!*yGh1+qJ4q4h5bX+%Zs`M>X%@FH2 z-Ss9doS;@<)^S?(oAMOMP<^;JjZ?=NVr1d2P|ZS#2MjvSfG)ihxQ1Y6C|<|OIunKr zA;l+GYZZ#e#p}3?2+|;iC5G}Ps0mfc#p}3i(n7}lt@P}7!w^>j8%CKbd07A+(7ouVU4l zsj{KS2wgly!8<9G&tmnQ$-~-)M~qT2Z~}L}6loDMx8tq3Y&H?2&>K!!CPTr@!-zW% z`D`Ldv@G15qm>O&B->bHA)ig;4%*TKr?jRgNU-L!i4>!L_qn6ZYz`Fd+sL1cqT|hP zzT(RL-mQc5_xXBzTP>d3>(%=6G1641G;8+N|GJO;Wr6FR9ta3SQ!I^u%>ng z1n>1!zyfQi5yshI?ahxv18XQ=eKuG@V^jjEy)2;xMkNrsyLK*Ef%M8*u)rG1&Yuld z4hZd56UwNc3sy-DLTNRrombg!KZ*s`(0!7#!76+0-?6}&+RIWzW0cm^xvZ{(DneLO zJFm(Zgm$Y*oXgVGFpQQ!VlPWG3K*3@;#`(yf?|X20U@X4~cIG`BtejvxvJ!h)S`v)q7ggdEp_a@bj9^u% zombQE{fh+FU{CGyzzT#aIqXK9;JZ=U`Q1ZcvJJVaw4zb>5R7hGmPb$Jj-&3urE@e3 zl^7u5NK#fhNA7h_z>&`7f;JFM^{_r68FR#Ob3_TF!|ugp%n^i2RgrMSs2;ZK^C&nL2nR=ua9+9(t7gH*J2*IEqImyE z(@-`H2S*P0f!&cZ=BN$!q`<+E96I$rV~%FXInrDWYy6)tM~0pvUY8F?f~kR1p)=-4 z;TuP7&aClV~*-@OcjI8pcyGX4_n(%oB@Zf(*g$0gUpws zCS0eALf08WRO$Pu3C0<4=(^p+w9+{W#u=QhL*O47(6V%!p$XayIDA;6%a1cOHe8dB zK-Wn^Vc>k#d^u_m-qe44cZ8F-H=$4=afg#rv>ru!$oM zT}K%srPmU-O{jJYhpwYSo6>U=tqt|+!lCP^lC*TY&IW5vaOgTlSn)or6`@WyICLH3 z21>UXtO~Ww!J+GzR=o7{$kw5D$J8_k_7SI0e4i5=oLY?IJmRAKyOy*2VnOBS_#{`t zlpbf8iC|21gsyAaTsRV4P_=Z9ROmkJ7+seSM+$%zUKhlPJi)z*oH#O|3$JJ3B-rN! z$3D`AsNy-YLEC%8K5Db!$Z%eI{)p3{T{p&uZEYqTIR_T-weIJfPt^zcZ!e#{zKpti8@+b1ySf`&pBMv4)=AiDv7RrKj(6)Ln~TbfdWEt4OW?*OI$${gxXal zw_PQ}H{;vkn%Z_%l%X3u#krnps9&_WDi8?OfKEFnO$kjkMp%>Eu3BO|wRCFR)o_At zcsl2k4Ns32SEDdSTufry6^Kv>#dWfosj=b;L>r8_CbnHAVFF)dK+vh?CB}-Y^Rx^; zS4;3vj`v*R$|*xP-qXPvDnU7$xN?aw?kada3O&fKd%hmfVgOSA(#` zMNF34juuzL5yoAGNIR6;!74RAmp~-18BoS(FEXGMyMxsk3SUsAFt8Spj74?xp$VaS z(f;Fh_T+tYh~He%5jxY&q=X zBelfzi&8vZPE2Qws`!l5yIOb(a+(%B?hDS|M$W}37nw1bsPjN%$<9dkZ$ zRe;YmF>TuLuU488eAUdRO&tDpxB|l$_%Us$tIFBLRa1;wAT*HTT;i&kgBBgGRqz7k znZ#A|{^VRNu!eeBoK0N0=J>+DRd9CDxx`gagxa;Dscly+ghr?aSg2jf*~C>zd@1&d zrM6u)5P{Eytyp5))d43F+E{F=Yx&XQDviWwEY1e366;=3L*h-`hylTZMLTez{ z;O>053Wd-q2sRr&AFh&O)B}kNnjNm1V8k`KJ)n%hs9%$Nv6>i!?pEsJFo!G0s9#~K z*lRqlk|LDX$r|-Uqta@G8o=#1)vrcZs|*sUw62Kp`};s?^#Q3_*BkRmruhG8olBJ(W)oE3R5%47fC@ zWhHA@?AahSSO3!SvqBy9$^6IF`Oa;-_)JDUzxfiMAEle9rB z2P+`FTUe9ChHKYq4xc|zC+;)gVAT>|hM=ZtyZ0K(2*Nf4HJz%)EgDuvFv6PH%c6`U z9GzIx)OITq2up_Q#JxrwtV&{30;%m*PB=zsO>MVwj&Pbs%~IQ~4pn^hZ8b}6w+f1I z%xBHgj`=i9DuOPhT{nrZ5I9(kMi<4d6E}7>OfjbMp_=%5mV;Fpgs>)d2AC#*uKJ=* zo*!hI`<*b5z-kj)SImIKrvhe)+hQ3`n16=|3#@6cx;Rw9D14|UzUks%HGs|)Xh`D9 z3r@L2rve(1xWe7RDmA(Tt4UpW!GURXHfuB4+~jCfg}|o*c;eI`hh8fzET|^V402E! zpAnFF!nZ@!9a#8KovQOiEUJ25^>L3zl>$OpO>M6#&hW(nChOrIjVc&| z4pm5PuPQ_EMFJtUy{aj}XIVjNdsTCSFBbr*?N#>&J{tg1+pC6Cd^P~2wpR^cl-1Ps zs!zW(WmsfldsPsIFc%;b+pB^LjxV|*6WgnTONQ^Xl8NnA!L>lBR}Ii`Ck$kD>YE#x4)P@>>uEQz6-8Q17(CQ@fe3ZF|w|e#8E! z_U+PM)cl=%&&bjw+cAM+&4WoulAr9~>MhLUi%RyhY9t)4hIpC33_` z$eu;Q5zt;JqDYQ{J>QUUq(rY%Uy&RI@8BTe$S5dY*9G(VI5^Ub2vRyn8aYRT6>od< z3OPp-V3-ffDan9tlSv{XS@AawL#*qzNlM%pl|`II3rva6}1{<)24Yh$AYhpzZw~ zjx5V1#Yaj1{(PAn*`Vz$X0iLovN{)zD1+i{Z(yOJ98B#U(HM>hWWy0?ReFjKAk=epIjnGPRvjrA)J%qi>hU?;2*~k!ey_$P?;PBdx_xCb=+uLdKgsd(5++~x=wJa zOAoQhI#^kXLe~kPy-FS&=CW*4-l5*XDgYy_iM|Kc%Qljzo|n6wag+qWEj`D%dIxhpv;FmCupE9XOK)0AE)R6}-&zP*W^wGPA=~ z5hC#AhEeSkmg2Wf@ zQgw3e$|#h6NkcWEO^?H&RDv;qPxjlC-N<*aN`#?aWv5E|MynJc2BE69iSuX*dd>6E zz&e#-5ihQWV^jkvrxJ9qN{%p_u4YrYZPDT?L6%y*QY8@oqbm{J@4$-D5 zYDvoa_(u24Dtgvi<6=$iys5`f1St(k#rzV5MB>kbFYZj|c&B^se)P#BAKZoCD5V^| zfx=Hq-CP{LE>sDJR~_Am8#?6Z(#$?_52D17!)sJTSvn(%D@1PV!H*t_#q#hf!xbW> zhO=#OwlM5GmlWxRZ6{_@#dcyyQP;{x72Jp+#l#3*0JdnFR9oevx|o=FKVuz_L*gu0 zu@jw=@kk>y*1aYVHydly?tEC$p7o_<7YWr4_pB`rFOd?q`Le;?y7*g`VNQf0HXCODVc)myQqO{d}8EY-ojy`uEiz}Qt^2zmlt9=$6e z=5Me$;{%)% zRAd~ziT89_dVE!Xn!4R|M*d;WC`!;(OV5idJKyOMk_Nz+f;-Dn^5~tY_Ey?D`I@Hp zA048Z`4ZS>X6d6utiqbnYdH>9tjvlGuVbCH9trEDOK<3R!Wz|-Ps3_j9OHc-tZE^h zF2{Sl>~&*pOq(UvWJiZ}!iHDciYZ;0=enD)_*P?WB?=){Y}Bf)HsNytyGi(LHdaYq zd|0u|1(K@sRnM+yr5SB1d|i20u!u=gbqhYKU>!?s_F{0B0&6P;JDQeMoo*~8se%P} zv^D8$F>7MQ_B$ul&r{7zRO?=?Nt=zetFe^@5-U1p&A(!sp=w3oG3(Ia^8td6S^dSv z5EiQNnANSay<1yRbj%v1u%)h&>QZOayBTY!^IcfF)D-wW#%k4@t?LLgwQt%Tu({i) z=~(Ir6Pven8~J6L<`2?sWD>rz`}G5#(P^Khvg-&j(E4b&-kn^HOChtk`*X)6UnzoK(T{?upfe&scX`>9pBc z2VZebXSin_vT_{g13xV0B}XdSwm&S+ALU_TRV$sJ{+xD%ITWj-)46G@;2fQqXs1gk zTgCQ5Ce<<6I(C}vHf^@qSe38|B5eh1tQo5j8Y{TVJh4X56_pG;8)=EP($$n~akav` z8EYSep4GsmIvY~?sG^n66D!~LgT#ss16&xX!ovXXblR_p6&(gRVK1b0a4)1;Xras6 zTF3T6Ce_~g5`rCF5^os?@IA23;KEH88FVpgtJt+NHcEFo$J)Sx%@$sKoq*veA5?g) zjk35s*_VYt>uc4p81v=wL8@U*JoqvTe!(h(v{74o2q|7s2QvEr5@D}@0;feq5MNU8 zlyd)L`6I}PYtH{n<;(Bj8P4kO;KnC^%^$x1<(K)>?eF{fzkd1KPk;H#f1iH%pVOy# z<5w|49w!by`uVN=EY56=u52K8L?so2@~s!H6AorvC9S% zYeXZ&ij^Q}UaGHCB|Q{Y#Xb!atFF}0Jr-8%q-~+&E(dBzSc|oR!saNf%cY&O@Zh0wds;CEJp z1|wFms6=udj49U{>s@;(RtVp(yRC%WXs*48ty~OyB(9g;mTPS0swMam0~hctNn*9m zcWYhHTT7Cw2VdXd1-!PT7Zc}uYF&1dnA&Wv)*4@>@Uol8)K+utE`(UYb?sh;7@>1D z@Wg&{_0Gr@+v3)XE2X*a^@81Ou0DkDNdPVr^b*Ahp9Bq_83?OFz+Eg{hk?}8njlT@KHr) z1}#DI`2cic&|2r)W;*XCKEKsiT}$VCVqLG;UiZYxDA{tog5`X>Tj5g}>ZO1aSZ>Bw z%u1~21eRMEUA{HBf>QzsF6b_;#EQ-dc(cK#l$==6jac4>v4yU^RPY{(#Oiz#TFDh1 z3$!q{m2^oJ-6`O`(5*~Jtl*8T{kGnN&|3FWZrYC3j7>H=vF_E@vK?#V8_-Iw;E9*y zI+SgPVqyia_(-f#*a`%R6}>v8V|tc=;C zN~PynegD}Z*0SB$4h;=?6Fk$bjr0R4H?nxC~${t09(6jEQHM-SUbr2?67gzSao3R?> zOJKsvv?NtkzWZthCt62owelJ3j2#~wB`oM>TzcJYiS}k|jlrkoo?O9!fK=ftV$}g| zy-KWuFKVp=n`lj{!MEr&v0@9^LqrE(|7CS_fFVzarLDxDf;az%Sr>z!|Yum;?_wigYn)rJf{bCn4^>Xux+ z@M$#2gl)eVqt!xJ(KfJ-dr}>RuJmfV?a|)q14b9VaaRL3VJ6jH=%z9aE#f}L_&gNG zgcYpeK86oI?HlXp=xRh6bova|(VjILopNhZMSE5+FXS0Wunz1pm*HCZBwB2@?A2yt z)!qoPf}2|0s?sfa?REmM&`z#|J4cc$b{VOA)$&*x@JA;gk6079e@m?MKY#k+Z=dE* zU!(blpXMK*|CL{Xcq&WJf9X%nSpPQv{QakS`tEZ7H{5?@Pr@{RIR9tj{O*@uK7D`w z^_ThihcRrrJ`Ml;{)g}L|LhUY)Bm#hSKDw#w}sqCKOI_)IP`=h2?j|R{)v7bCO|Q8ei3ZYS@Xs#QHf)z=ajt!IxNj<7+yfI(DQl zv3lXF*-sstR8Fix*l#*@>@J|NQ5#_-(Dzzbu^FpYMr+0PnI+cdeC>M^xCW9~-TC@< zrjAX3hIwU-TX(B1ZN{3k2(e=Op~9j%A=UwIh)S-#6W&?7O-pVz*BFdg!G-&1MF!ve z+2r8oYb%X0+2Y`}fXOw4@YZs$cWqS~p?7t-cU8v8lj#ID*RE0da<21kBNAK9wVM^b z7wo*-ki=GVjVgp#2e|y&)4eic1#bh2Q5ZLc&yH<4ORQ}WnyZ6lm6K}_ZeX7s+=Vf! zDqoRc4)9X2n@*Xo2yA2WJZB8F)2C0yn}#;)Uc8DZ(;wza3BlV_@3`@f*p zX6vAqw?h5-AD1PluQtz);!Dq~{L$?vU+JB#<+bKnF^_VcFV`>oXP+l^etZAy*9UEW z`>{za4kD zes0<--Qf4A7v!CLr`nWF`yr`9A2c_t|5~s}g%#QUe5Y!aO;u;q394Uu!#Yak^Q^l` zYi%{wVZ!GECaB`}9jgyANtiv99$`{`nI@Uq`)=!N;{q@s) zn!bwip2T?i`HSI7U7oFc{grVVSDn9nWyqT!hhO}LfBy0NzyCTv|6WfCjt$2cL-^v3 z>t1okMxSFDb&Laj9Iw2?uS-2uuYDd{z7O~-JU<}1WkN#)TCcrfCDaSO3HW0@%&ohC zF1hhp4IO8!qZB&5(8P)yluN4KyRj)+4J+tOoR3=AHZ&zxWM{$nUCsBR(aC0ve%`}c z|Kkte{r>m={>MLVz}_c(IRtZI2ZRJbrNLc$`^{mb2>SL|g(~-Ciq_TEmwNlE;%FCg!g8PM% ztCf{v#Yf`m*oGmoszP{aVKubwTvwO0j>I*P3WYbU@?sx04OVn8U|JZxYar!{?^s(W z#Cn2m8NPE}U4lInSFFB+nE6@_ts`MQqw}uTWNi)hP+XCMnu)a!A&jxkyEM7I#a#R7 zl`lbfp0N|Bi8VT3X5f4UkDN;PR{7op=POnx<@V4bEW%z2Ix{dzGrl*$Wl@;veauyh z4CTW*1-7=WMeAC*;zMBtCtQ+i?|hfmbi$^ywOCQU&~-v5T#_qe^<@GlToP+IBUb22 zh#S|YwsP|2NLn-z2hjlJ{wPI|<+Ldtv?kebXcGp1|yIyx2f!k=VF2(6$EH7yB z(VIy1cmI=qXggNhd=9`oIcPgT}! zIyn|qY|1gIT3@wj>{wK>uh*oyax2fVsA4DTlIn<6t0Rs@b+44bW~yO?RI%M%7Fr_s zsDjfhq0&|@8$A-$R7GL z`-_z^EL73)>Zn5KSJCn6P{Qm=MaQe7Dc_5=qT|&u-1(@YSmF(3I zu(f+7qC1~s6|Cq>K3EH3F#tW&kyy3yVO6Z;OH%F1cV8)3Ppg$$D_v7iQ?zHT*7)u# zg?m;t!a8dMtHQTpjH&B}_5o(X_Y`PwA7I|;de}ZU<=~99N$1N4c6fBv+TaUXJKD33 zMwkt7Z277cFN{?8Dzt2N0p5+TGsv;o>sF!=I@SP7z9rVCe8E*tF1bp517!NwVCt9tP|X`4#sT2Zc)o_1HXCbLr!&?LmSIS$&PWx!6s}2;N>^*?;Mw-1YJ54C zzS|V`W@8oO8*J->9T#k(CFo+-F5n`zT5EiY*ZqP{Uu%2O9KgbLw{@Ev&DGjyd=kQA zw{Etr=4xFixq=JXHj1x$y7rKAlsjuIF57uGs(lbr1wRIiapSHJ-%B}Qvuh2;)j}h{ zkwEj1#~bT_Tg%40bnT0bdpV0_Ygy~JE$MvUz!lvq+biQXxB=GFZ(d(C%aUM?f_`PV zs4;Q{zcRdq)1`3(KI!dU2c0ZI7&vYV)1a&7#tHl+4jX)fb8$jnSaAc%hZS6Nh(;*> z9B1@nAiD64cm;SfbW&}Du9zF>#n6e>`Kq}A-V5Dgi1E3A3*57gLHNMhZE9wlv341Q z?|pS{V6lfTu6z>k=Y|!4?rJW4Rh;t~JdD(}C0RnQ*lDD$ow5Dsd2^|ZlcSi3zp@V_^v+-e__nPx1X(UP0DIbM4)g?nN*OcqS>S zmQGh3m;~E~*vBmvpz{IKK!*auv<^b9;7}l>)Joc4tN1 ztpRJJwWe=XVQXrMTCsxgqg5$v0oK2EvjM4gy46rg72GN`nuxGHvZ6Zn>6%o#vT2pY zXZbatv1*~~6G*Jsf_73hW$S54s^F~PZJ%*x>urr1XwPbVt2UA<+_T!C+hdkkvDz;q zsyr&{$RpH#=lBG*wv_|l<*iVE{>Nnr>Z?Pap=0U8Z%_4?ug!egQ!)SRGoM4Ik?6gA zIrjN%d~X^1e6*e4d~9AkWUM$g9qT4^zX3}IwE6X^{pqit=F{|*LwnY9diwc`LEUFL z?XMh~y)veIJF?Tb>ip%A$(v8?i(m22KYsuBU+3pv?8)o=_H(SIK0d@h{5dXveb$%0 zzE@9j%Tc1gz9`c8hJz!5Bh}6`Yt#u3hMwRgx>Vk`lLt z#dLM*2#0%D(?VDHORm_4;KVwDuKb@^!ESltP+?lyS1*<6PzT^c93 z?zIYStGSLBdSo6Ruu3m*MAWp7m@9M^RBG?OZ{pmW12B5XrPr{~^4ps`9^GprOLLSDW`%V|AsQJx;1nVV67BPUr&+?O8pH zFSs(WXO&V!*+#lg-jH)iH>y?XRESRL*1%NN32oKE6)Y*HjW5UI*aDW^wioj~Td}(z zZdgMJpRM4=R;gYKU#DPHO{G4_u%t%kES? z=sH?1f{w1dN@d%qak?ltxboT>-+iTU&nn6{<96At|7xqTjw*CgyQj-Qw+Z-YgsK;p zfo*SBlNYPCUend8A5>WDbX_d8ie8o$6j*&lSL;;9HSDA5YN>gB+=_h6!&=PPii{;W z``1;_Zl|S}4|iI_inn8**15!z%*mTh%k;yYmiJ}{cZBD<*d_hSY5jkWa8~(fhh4L1Yo%iZ+-56xq?F~Rz9Z0TNX)zmaLDz_NZZkIHnpmSSVg;A9Eym};5H7A*#WoAq zM%RaRZdb4#W^(ny7Ywv3_|l3Hq3dr;tYAIN`hzA^aodETq4wGpe7R{4sB=iNG7 zHhO_BwGh^}&sS_ZJFyz0x$d@(Y`eLJGjheIv%84$ZPNYU?#^JfVHgI(Z!{dsmgC(< zPrD7aV=loBqpa&j>ax?`eR5bR8w^b8_^~cI2olT}p~#l>N3epYi-l|G^z~&XgO09b zyuQ>m8Ss{XZLpP-uq_>Dqo?5oYgCC9o(%Nf)rEn!xMKS<1#7QxR0}OLz&2WiwZi1U z>Z8JyE2BVD?&_}f(Yl;#tjt~8@>lE#9Fw80PJOg3tl$wiE?WYPVF0V@Dp>nUZRfV! z6)Qz9Sfj$R?S$^mW|C{&aduPg>d{FSbv`PLt{z;~BHKBAokPikrN@M;*Qc2+T+zvZ zjS4$ll81k_yk~t?trW0*nSwPqh3*=zb?$m8R#vE&DOl0Ll}Y0{Rsff_iGRvvYQYLF z5)j9ruVWwuY;QJGa8#EGG_`;2(fh1WD>c#<*8i*#><&d<@^7r}##;LR@!NUvn|T`Z zRF+iia#ubr!jzAvv`S$9qPDpmhC)@~>~}d&bHR9g$#3t&@H*~4#(7#9-ObN}^N^P( g7Q_9r#%cSo+n!(KYJ6IZY^?eG0#EvuI%KRA05?)keE