diff --git a/dynamic/drakvuf/93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795/drakmon.log b/dynamic/drakvuf/93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795/drakmon.log
new file mode 100644
index 0000000..4b26434
--- /dev/null
+++ b/dynamic/drakvuf/93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795/drakmon.log
@@ -0,0 +1,4001 @@
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\\resources.pri", "DllBase": "0xed50000", "PID": 3888}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\Desktop\\malware.exe", "DllBase": "0x121a0000", "PID": 3888}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\Desktop\\malware.exe", "DllBase": "0x121a0000", "PID": 3888}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel32.dll", "DllBase": "0x7ffbc2640000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"SetUnhandledExceptionFilter": 132480, "CreateProcessInternalW": 241936, "MoveFileWithProgressW": 246112, "MoveFileWithProgressTransactedW": 143376, "CreateDirectoryW": 152240, "CreateDirectoryExW": 241552, "RemoveDirectoryA": 153232, "RemoveDirectoryW": 153248, "FindFirstFileExA": 152464, "FindFirstFileExW": 152480, "FindNextFileW": 152592, "CopyFileA": 402736, "CopyFileW": 153936, "CopyFileExW": 134720, "DeleteFileA": 152320, "DeleteFileW": 152336, "GetDiskFreeSpaceExA": 152672, "GetDiskFreeSpaceExW": 152688, "GetDiskFreeSpaceA": 152656, "GetDiskFreeSpaceW": 152704, "GetVolumeNameForVolumeMountPointW": 151536, "GetVolumeInformationByHandleW": 153056, "FindFirstChangeNotificationW": 152432, "RegOpenKeyExA": 247856, "RegOpenKeyExW": 135552, "RegCreateKeyExA": 246992, "RegCreateKeyExW": 247024, "RegEnumKeyExA": 247280, "RegEnumKeyExW": 247360, "RegEnumValueA": 247440, "RegEnumValueW": 247520, "RegSetValueExA": 248368, "RegSetValueExW": 248400, "RegQueryValueExA": 248144, "RegQueryValueExW": 248176, "RegDeleteValueA": 247184, "RegDeleteValueW": 247216, "RegQueryInfoKeyA": 247888, "RegQueryInfoKeyW": 248016, "RegCloseKey": 149920, "RegNotifyChangeKeyValue": 247824, "CreateToolhelp32Snapshot": 164368, "Process32FirstW": 142864, "Process32NextW": 142256, "WaitForDebugEvent": 250096, "ReadProcessMemory": 117872, "WriteProcessMemory": 250608, "VirtualProtectEx": 250064, "CreateThread": 113968, "CreateRemoteThread": 242064, "SetErrorMode": 118672, "DeviceIoControl": 88944, "IsDebuggerPresent": 133424, "WriteConsoleA": 154416, "WriteConsoleW": 154432, "GetComputerNameA": 109200, "GetComputerNameW": 109552, "GetSystemInfo": 123696, "SystemTimeToTzSpecificLocalTime": 141616, "GlobalMemoryStatus": 118912, "GlobalMemoryStatusEx": 134320, "GetLocalTime": 124832, "GetSystemTime": 113936, "GetSystemTimeAsFileTime": 99088, "GetTickCount": 89120, "GetTickCount64": 90896, "VirtualFree": 108736}, "DllBase": "0x7ffbc2640000", "DllName": "\\Windows\\System32\\kernel32.dll", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\\resources.pri", "DllBase": "0xed50000", "PID": 3888}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db", "DllBase": "0x3130000", "PID": 3888}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db", "DllBase": "0xe590000", "PID": 3888}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"LdrLoadDll": 92688, "RtlCreateUserProcess": 924032, "DbgUiWaitStateChange": 838720, "RtlCreateUserThread": 352400, "LdrGetDllHandle": 92272, "LdrGetProcedureAddress": 531408, "RtlDecompressBuffer": 1005776, "RtlCompressBuffer": 534688}, "DllBase": "0x7ffbc3930000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntdll.dll", "DllBase": "0x7ffbc3930000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\resources.pri", "DllBase": "0xed50000", "PID": 3888}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcrt.dll", "DllBase": "0x7ffbc2c30000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"system": 97872}, "DllBase": "0x7ffbc2c30000", "DllName": "\\Windows\\System32\\msvcrt.dll", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"LdrLoadDll": 92688, "RtlCreateUserProcess": 924032, "DbgUiWaitStateChange": 838720, "RtlCreateUserThread": 352400, "LdrGetDllHandle": 92272, "LdrGetProcedureAddress": 531408, "RtlDecompressBuffer": 1005776, "RtlCompressBuffer": 534688}, "DllBase": "0x7ffbc3930000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntdll.dll", "DllBase": "0x7ffbc3930000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\advapi32.dll", "DllBase": "0x7ffbc36c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dllhost.exe", "DllBase": "0x7ff74c210000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dllhost.exe", "DllBase": "0x7ff74c210000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dllhost.exe", "DllBase": "0x7ff74c210000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dllhost.exe", "DllBase": "0x7ff74c210000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel32.dll", "DllBase": "0x7ffbc2640000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\resources.pri", "DllBase": "0xed50000", "PID": 3888}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db", "DllBase": "0x3360000", "PID": 3888}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"CryptAcquireContextA": 94000, "CryptAcquireContextW": 94320, "RegOpenKeyExA": 93568, "RegOpenKeyExW": 90080, "RegCreateKeyExA": 96544, "RegCreateKeyExW": 93184, "RegDeleteKeyA": 16528, "RegDeleteKeyW": 93216, "RegEnumKeyW": 91296, "RegEnumKeyExA": 16624, "RegEnumKeyExW": 88560, "RegEnumValueA": 202176, "RegEnumValueW": 91968, "RegSetValueExA": 16704, "RegSetValueExW": 94080, "RegQueryValueExA": 93872, "RegQueryValueExW": 90048, "RegDeleteValueA": 17456, "RegDeleteValueW": 104080, "RegQueryInfoKeyA": 17056, "RegQueryInfoKeyW": 90624, "RegCloseKey": 92048, "RegNotifyChangeKeyValue": 96864, "CreateProcessWithLogonW": 304352, "CreateProcessWithTokenW": 17488, "InitiateShutdownW": 104112, "InitiateSystemShutdownW": 281520, "InitiateSystemShutdownExW": 290480, "LookupPrivilegeValueW": 63856, "GetCurrentHwProfileW": 94368, "GetUserNameA": 304480, "GetUserNameW": 91376, "LsaOpenPolicy": 113712, "SaferIdentifyLevel": 46944, "OpenSCManagerA": 97648, "OpenSCManagerW": 96448, "CreateServiceA": 197216, "CreateServiceW": 197360, "OpenServiceA": 201664, "OpenServiceW": 96992, "StartServiceA": 203056, "StartServiceW": 119584, "ControlService": 196960, "DeleteService": 199648, "CryptDecrypt": 198880, "CryptEncrypt": 199008, "CryptHashData": 93120, "CryptDecryptMessage": 198880, "CryptEncryptMessage": 199008, "CryptExportKey": 91904, "CryptGenKey": 199168, "CryptCreateHash": 92080, "CryptEnumProvidersA": 199104, "CryptEnumProvidersW": 199136}, "DllBase": "0x7ffbc36c0000", "DllName": "\\Windows\\System32\\advapi32.dll", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"SetUnhandledExceptionFilter": 132480, "CreateProcessInternalW": 241936, "MoveFileWithProgressW": 246112, "MoveFileWithProgressTransactedW": 143376, "CreateDirectoryW": 152240, "CreateDirectoryExW": 241552, "RemoveDirectoryA": 153232, "RemoveDirectoryW": 153248, "FindFirstFileExA": 152464, "FindFirstFileExW": 152480, "FindNextFileW": 152592, "CopyFileA": 402736, "CopyFileW": 153936, "CopyFileExW": 134720, "DeleteFileA": 152320, "DeleteFileW": 152336, "GetDiskFreeSpaceExA": 152672, "GetDiskFreeSpaceExW": 152688, "GetDiskFreeSpaceA": 152656, "GetDiskFreeSpaceW": 152704, "GetVolumeNameForVolumeMountPointW": 151536, "GetVolumeInformationByHandleW": 153056, "FindFirstChangeNotificationW": 152432, "RegOpenKeyExA": 247856, "RegOpenKeyExW": 135552, "RegCreateKeyExA": 246992, "RegCreateKeyExW": 247024, "RegEnumKeyExA": 247280, "RegEnumKeyExW": 247360, "RegEnumValueA": 247440, "RegEnumValueW": 247520, "RegSetValueExA": 248368, "RegSetValueExW": 248400, "RegQueryValueExA": 248144, "RegQueryValueExW": 248176, "RegDeleteValueA": 247184, "RegDeleteValueW": 247216, "RegQueryInfoKeyA": 247888, "RegQueryInfoKeyW": 248016, "RegCloseKey": 149920, "RegNotifyChangeKeyValue": 247824, "CreateToolhelp32Snapshot": 164368, "Process32FirstW": 142864, "Process32NextW": 142256, "WaitForDebugEvent": 250096, "ReadProcessMemory": 117872, "WriteProcessMemory": 250608, "VirtualProtectEx": 250064, "CreateThread": 113968, "CreateRemoteThread": 242064, "SetErrorMode": 118672, "DeviceIoControl": 88944, "IsDebuggerPresent": 133424, "WriteConsoleA": 154416, "WriteConsoleW": 154432, "GetComputerNameA": 109200, "GetComputerNameW": 109552, "GetSystemInfo": 123696, "SystemTimeToTzSpecificLocalTime": 141616, "GlobalMemoryStatus": 118912, "GlobalMemoryStatusEx": 134320, "GetLocalTime": 124832, "GetSystemTime": 113936, "GetSystemTimeAsFileTime": 99088, "GetTickCount": 89120, "GetTickCount64": 90896, "VirtualFree": 108736}, "DllBase": "0x7ffbc2640000", "DllName": "\\Windows\\System32\\kernel32.dll", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db", "DllBase": "0xea00000", "PID": 3888}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999136.296068", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x4e35", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beb40:\"api-ms-win-core-synch-l1-2-0\"", "Arg3=0x667e2beb88"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.301725", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x4e3b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beb40:\"api-ms-win-core-fibers-l1-1-1\"", "Arg3=0x667e2beb88"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.302886", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x4e46", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beb90:\"api-ms-win-core-fibers-l1-1-1\"", "Arg3=0x667e2bebd8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.303628", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x4e4e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beb90:\"api-ms-win-core-synch-l1-2-0\"", "Arg3=0x667e2bebd8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.307961", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x4e73", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2bdfc0:\"api-ms-win-core-localization-l1-2-1\"", "Arg3=0x667e2be008"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.339727", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x4f56", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afde550:\"ntdll.dll\"", "Arg3=0x6f9afde570"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.345409", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x4f9e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afde5b0:\"ntdll.dll\"", "Arg3=0x6f9afde5d0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.348101", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x4fc0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc3a0392c", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x7ffbc3a4d1e0:\"KERNEL32.DLL\"", "Arg3=0x6f9afdf028"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999136.386294", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x51cb", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beaf0:\"kernel32\"", "Arg3=0x667e2beb38"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.390432", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x51fe", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beaf0:\"api-ms-win-core-string-l1-1-0\"", "Arg3=0x667e2beb38"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.391401", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x520a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beaf0:\"api-ms-win-core-datetime-l1-1-1\"", "Arg3=0x667e2beb38"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.393140", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x5222", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e2beaf0:\"api-ms-win-core-localization-obsolete-l1-2-0\"", "Arg3=0x667e2beb38"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.400549", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x5286", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e2beb90:\"api-ms-win-core-synch-l1-2-0.dll\"", "Arg3=0x667e2bebb0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.405164", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x52c3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e2bea40:\"ntdll.dll\"", "Arg3=0x667e2bea60"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.423117", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x537f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e2beb90:\"rpcrt4.dll\"", "Arg3=0x667e2bebb0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dllhost.exe", "DllBase": "0x7ff74c210000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dllhost.exe", "DllBase": "0x7ff74c210000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999136.504969", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x5767", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e2bf7f0:\"api-ms-win-core-synch-l1-2-0.dll\"", "Arg3=0x667e2bf810"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.512961", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x57da", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90bda8", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x50001f", "Arg2=0x667e2bf7a0", "Arg3=0x8", "Arg4=0x0", "Arg5=0x0", "Arg6=0x667e2bf750", "Arg7=0x0", "Arg8=0x667e2bf7d0", "Arg9=0x7ff74b907984"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.514588", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateThread", "EventUID": "0x57ee", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b9079ae", "ReturnValue": "0x11c", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x7ff74b900490", "Arg3=0x0", "Arg4=0x0", "Arg5=0x0", "Arg6=0x0", "Arg7=0x7ff74b909391"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999136.532717", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x58f4", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9afdeba0:\"api-ms-win-core-synch-l1-2-0\"", "Arg3=0x6f9afdebe8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.534334", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x5907", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9afdeba0:\"api-ms-win-core-fibers-l1-1-1\"", "Arg3=0x6f9afdebe8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.535761", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x5916", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9afdebf0:\"api-ms-win-core-fibers-l1-1-1\"", "Arg3=0x6f9afdec38"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.536492", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x591e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9afdebf0:\"api-ms-win-core-synch-l1-2-0\"", "Arg3=0x6f9afdec38"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.538358", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x5936", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9afde020:\"api-ms-win-core-localization-l1-2-1\"", "Arg3=0x6f9afde068"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.542974", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x5978", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdebf0:\"api-ms-win-core-synch-l1-2-0.dll\"", "Arg3=0x6f9afdec10"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.547772", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x59b7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdeaa0:\"ntdll.dll\"", "Arg3=0x6f9afdeac0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.567308", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x5aad", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x0", "Arg3=0x0", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.570977", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x5ad7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90bda8", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x50000f", "Arg2=0x667e67e820", "Arg3=0x18", "Arg4=0x0", "Arg5=0x0", "Arg6=0x667e67e7f0", "Arg7=0x0", "Arg8=0x0", "Arg9=0x7ff74b90465c"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\user32.dll", "DllBase": "0x7ffbc31a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"CreateWindowExA": 15376, "CreateWindowExW": 30496, "FindWindowA": 503872, "FindWindowW": 144880, "FindWindowExA": 12368, "FindWindowExW": 155376, "SendNotifyMessageA": 199568, "SendNotifyMessageW": 168848, "SetWindowLongA": 182352, "SetWindowLongW": 69392, "SetWindowLongPtrA": 182448, "SetWindowLongPtrW": 47040, "SetWindowsHookExA": 324864, "SetWindowsHookExW": 176832, "UnhookWindowsHookEx": 176672, "ExitWindowsEx": 180000, "GetSystemMetrics": 134848, "GetCursorPos": 163136, "GetAsyncKeyState": 147152, "SystemParametersInfoA": 166592, "SystemParametersInfoW": 144208, "GetLastInputInfo": 158240, "MsgWaitForMultipleObjectsEx": 132960}, "DllBase": "0x7ffbc31a0000", "DllName": "\\Windows\\System32\\user32.dll", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999136.617224", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x5cb7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdebf0:\"rpcrt4.dll\"", "Arg3=0x6f9afdec10"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcss.dll", "DllBase": "0x1d073250000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999136.635572", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x5da7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdf160:\"C:\\\\Windows\\\\system32\\\\rpcss.dll\"", "Arg3=0x6f9afdf190"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcrt.dll", "DllBase": "0x7ffbc2c30000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"system": 97872}, "DllBase": "0x7ffbc2c30000", "DllName": "\\Windows\\System32\\msvcrt.dll", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999136.695190", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6077", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67e6d0:\"gdi32full.dll\"", "Arg3=0x667e67e6f0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x1ba2bcb0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999136.718087", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6156", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67dd50:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x667e67dd70"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.720473", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "DeviceIoControl", "EventUID": "0x6173", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc17df10d", "ReturnValue": "0x1", "Arguments": ["Arg0=0x108", "Arg1=0x390008", "Arg2=0x0", "Arg3=0x0", "Arg4=0x6f9afde158", "Arg5=0x6f00000030", "Arg6=0x6f9afde138", "Arg7=0x0", "Arg8=0x0", "Arg9=0x7ffbc17d83a4"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999136.725753", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x61a4", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdf440:\"combase.dll\"", "Arg3=0x6f9afdf460"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.727437", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x61b8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67d1f0:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x667e67d210"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.728228", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x61c2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9", "Arg1=0x0", "Arg2=0x667e67dd40:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x667e67dd88"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.728584", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x61c6", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67dfd0:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x667e67dff0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-US\\Conhost.exe.mui", "DllBase": "0x1ba2bcb0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999136.782679", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6493", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67dc20:\"gdi32.dll\"", "Arg3=0x667e67dc40"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999136.824531", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x66de", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x6f9afde840:\"rpcrt4.dll\"", "Arg3=0x6f9afde888"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.852755", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x687a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67dde0:\"ntdll.dll\"", "Arg3=0x667e67de00"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.858678", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x68d0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67ed00:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67ed48"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.859202", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x68d3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e67ed00:\"user32.dll\"", "Arg3=0x667e67ed48"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.859937", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x68da", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67ed10:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67ed58"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.860432", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x68dd", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67ec00:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67ec48"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.878531", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x69e2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67ebd0:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67ec18"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.933318", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6cc1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afde1b0:\"ntdll.dll\"", "Arg3=0x6f9afde1d0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\shell32.dll", "DllBase": "0x7ffbc1990000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"SHGetFolderPathW": 711520, "SHGetKnownFolderPath": 804704, "SHGetFileInfoW": 356832, "ShellExecuteExW": 292000}, "DllBase": "0x7ffbc1990000", "DllName": "\\Windows\\System32\\shell32.dll", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999136.954837", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6dc0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67d730:\"api-ms-win-core-synch-l1-2-0.dll\"", "Arg3=0x667e67d750"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.956060", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6dcf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67d5b0:\"advapi32.dll\"", "Arg3=0x667e67d5d0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999136.961110", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x6e17", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67d670:\"ntdll.dll\"", "Arg3=0x667e67d690"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999136.975855", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x6ec8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9", "Arg1=0x0", "Arg2=0x667e67e240:\"C:\\\\Windows\\\\system32\\\\uxtheme.dll\"", "Arg3=0x667e67e288"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcss.dll", "DllBase": "0x1d0732b0000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999137.031823", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x719a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afde910:\"C:\\\\Windows\\\\system32\\\\rpcss.dll\"", "Arg3=0x6f9afde940"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999137.052403", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x728e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1a314af", "ReturnValue": "0x10", "Arguments": ["Arg0=0x32"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.052933", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x7292", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1a314c4", "ReturnValue": "0x10", "Arguments": ["Arg0=0x31"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.053501", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x7296", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1a314d9", "ReturnValue": "0x20", "Arguments": ["Arg0=0xc"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.053963", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x729a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1a314ee", "ReturnValue": "0x20", "Arguments": ["Arg0=0xb"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.057960", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x72b6", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e67d600:\"kernel32.dll\"", "Arg3=0x667e67d648"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\Globalization\\Sorting\\SortDefault.nls", "DllBase": "0x1ba2d6b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\Desktop\\malware.exe", "DllBase": "0x2bb60000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.066822", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x730f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e67cc00:\"ntdll.dll\"", "Arg3=0x667e67cc20"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999137.071363", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x7347", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67ebc0:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67ec08"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.071832", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x734b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e67ebc0:\"user32.dll\"", "Arg3=0x667e67ec08"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.072631", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x7354", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67e920:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67e968"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999137.097596", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x7496", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afde930:\"combase.dll\"", "Arg3=0x6f9afde950"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.182672", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x7835", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdf130:\"combase.dll\"", "Arg3=0x6f9afdf160"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.191545", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "CreateThread", "EventUID": "0x784a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc289cac4", "ReturnValue": "0x178", "Arguments": ["Arg0=0x0", "Arg1=0x8000", "Arg2=0x7ffbc28e2ce0", "Arg3=0x1d07307f850", "Arg4=0x1d000000000", "Arg5=0x6f9afdf1b0", "Arg6=0x1574f454d", "Arg7=0x134"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.204576", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateThread", "EventUID": "0x78f4", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b8f48ca", "ReturnValue": "0x1a4", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x7ff74b90b670", "Arg3=0x1ba2bd034c0", "Arg4=0x1ba00000000", "Arg5=0x0", "Arg6=0x0", "Arg7=0x7ff74b8f44e7"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.205372", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x78fc", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e67ec50:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e67ec98"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.206976", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateThread", "EventUID": "0x7910", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90e082", "ReturnValue": "0x1a8", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x7ff74b8f2ea0", "Arg3=0x0", "Arg4=0x7ffb00000000", "Arg5=0x667e67ed18", "Arg6=0x0", "Arg7=0x7ff74b8f45bc"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x1ba2e0f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.233781", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x7a39", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b8f3f6c", "ReturnValue": "0x10", "Arguments": ["Arg0=0x32"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.234219", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x7a3d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b8f3f7f", "ReturnValue": "0x10", "Arguments": ["Arg0=0x31"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.236645", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x7a58", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6ffa98", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.237362", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x7a60", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6ffa98", "Arg3=0x0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.239723", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x7a7c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6ffa98", "Arg3=0x0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.315158", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x7e1f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe1b0:\"api-ms-win-core-synch-l1-2-0.dll\"", "Arg3=0x667e6fe1d0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ole32.dll", "DllBase": "0x1ba2e0f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.359100", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x7efb", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe220:\"ext-ms-win-ole32-oleautomation-l1-1-0.dll\"", "Arg3=0x667e6fe240"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.372628", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x7fa6", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7ff31", "ReturnValue": "0x0", "Arguments": ["Arg0=0x70354", "Arg1=0xfffffffe", "Arg2=0xffffffffffffffff"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.416095", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x81f7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fea00:\"ntdll.dll\"", "Arg3=0x667e6fea20"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.424227", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x8270", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7dd8a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffffe", "Arg2=0x1ba2d6a0bf0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.426158", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x8287", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b901b81", "ReturnValue": "0x0", "Arguments": ["Arg0=0x80324", "Arg1=0xffffffeb", "Arg2=0x1ba2bd04690"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.427460", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x8295", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6fef58", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.428152", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x829c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6fef58", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.465968", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x83a5", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9afdf480:\"combase.dll\"", "Arg3=0x6f9afdf4b0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.467793", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "CreateThread", "EventUID": "0x83b9", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc289cac4", "ReturnValue": "0x198", "Arguments": ["Arg0=0x0", "Arg1=0x8000", "Arg2=0x7ffbc28e2ce0", "Arg3=0x1d0730882e0", "Arg4=0x0", "Arg5=0x6f9afdf500", "Arg6=0x1d073077d70", "Arg7=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.470603", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x83de", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6fef58", "Arg3=0x0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.474383", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x8403", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6fef58", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.475187", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x840b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6fef58", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.477097", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x8422", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6fef58", "Arg3=0x0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\user32.dll", "DllBase": "0x7ffbc31a0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"CreateWindowExA": 15376, "CreateWindowExW": 30496, "FindWindowA": 503872, "FindWindowW": 144880, "FindWindowExA": 12368, "FindWindowExW": 155376, "SendNotifyMessageA": 199568, "SendNotifyMessageW": 168848, "SetWindowLongA": 182352, "SetWindowLongW": 69392, "SetWindowLongPtrA": 182448, "SetWindowLongPtrW": 47040, "SetWindowsHookExA": 324864, "SetWindowsHookExW": 176832, "UnhookWindowsHookEx": 176672, "ExitWindowsEx": 180000, "GetSystemMetrics": 134848, "GetCursorPos": 163136, "GetAsyncKeyState": 147152, "SystemParametersInfoA": 166592, "SystemParametersInfoW": 144208, "GetLastInputInfo": 158240, "MsgWaitForMultipleObjectsEx": 132960}, "DllBase": "0x7ffbc31a0000", "DllName": "\\Windows\\System32\\user32.dll", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.545329", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateWindowExW", "EventUID": "0x8768", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b8f39ae", "ReturnValue": "0x80324", "Arguments": ["Arg0=0xc0110", "Arg1=0x7ff74b991048:\"ConsoleWindowClass\"", "Arg2=0x1ba2bd045d0:\"C:\\\\Users\\\\litter\\\\Desktop\\\\malware.exe\"", "Arg3=0xff0000", "Arg4=0x7ff780000000", "Arg5=0x7ffb00000000", "Arg6=0x3e1", "Arg7=0x207", "Arg8=0x0", "Arg9=0x0", "Arg10=0x0", "Arg11=0x1ba2bd04690"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-GB\\user32.dll.mui", "DllBase": "0x1ba2bf80000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.572178", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x888a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9b6fe5b0:\"kernel32\"", "Arg3=0x6f9b6fe5f8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.572685", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x888e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9b6fe5b0:\"api-ms-win-core-string-l1-1-0\"", "Arg3=0x6f9b6fe5f8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.573175", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x8892", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9b6fe5b0:\"api-ms-win-core-datetime-l1-1-1\"", "Arg3=0x6f9b6fe5f8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.573677", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x8896", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x6f9b6fe5b0:\"api-ms-win-core-localization-obsolete-l1-2-0\"", "Arg3=0x6f9b6fe5f8"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.584710", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x8930", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fea80:\"USER32\"", "Arg3=0x667e6feaa0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.585060", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x8935", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fe760:\"gdi32full.dll\"", "Arg3=0x6f9b6fe780"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x1d0734b0000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999137.591688", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x8982", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fdde0:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x6f9b6fde00"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999137.599613", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x89e1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fd280:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x6f9b6fd2a0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.599950", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x89e3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9", "Arg1=0x0", "Arg2=0x6f9b6fddd0:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x6f9b6fde18"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.600495", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x89e8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fe060:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x6f9b6fe080"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.665086", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x8d1b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fdcb0:\"gdi32.dll\"", "Arg3=0x6f9b6fdcd0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.678116", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x8daf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7e927", "ReturnValue": "0x1", "Arguments": ["Arg0=0x42", "Arg1=0x10", "Arg2=0x667e6ff180", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.687719", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x8e2f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7d429", "ReturnValue": "0x1", "Arguments": ["Arg0=0x42", "Arg1=0x10", "Arg2=0x667e6ff070", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.690995", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x8e5b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7d429", "ReturnValue": "0x1", "Arguments": ["Arg0=0x42", "Arg1=0x10", "Arg2=0x667e6ff120", "Arg3=0x0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.734863", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x909f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fde70:\"ntdll.dll\"", "Arg3=0x6f9b6fde90"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\uxtheme.dll", "DllBase": "0x7ffbbed70000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999137.787050", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0x9352", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9", "Arg1=0x0", "Arg2=0x6f9b6fed90:\"C:\\\\Windows\\\\system32\\\\uxtheme.dll\"", "Arg3=0x6f9b6fedd8"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\Fonts\\StaticCache.dat", "DllBase": "0x1ba2e6e0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.870973", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x97ae", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7ff31", "ReturnValue": "0x0", "Arguments": ["Arg0=0xd0022", "Arg1=0xfffffffe", "Arg2=0xffffffffffffffff"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.878466", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "CreateWindowExW", "EventUID": "0x981d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc290fd57", "ReturnValue": "0xd0022", "Arguments": ["Arg0=0x0", "Arg1=0xc03c:\"\"", "Arg2=0x7ffbc2ad0348:\"OleMainThreadWndName\"", "Arg3=0x88000000", "Arg4=0x1480000000", "Arg5=0x7ffb80000000", "Arg6=0x80000000", "Arg7=0x80000000", "Arg8=0xfffffffffffffffd", "Arg9=0x0", "Arg10=0x7ffbc2840000", "Arg11=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.884004", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x9869", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc28f5585", "ReturnValue": "0x7ffbc290cab0", "Arguments": ["Arg0=0xd0022", "Arg1=0xfffffffc", "Arg2=0x7ffbc28c31f0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextShaping.dll", "DllBase": "0x7ffbbcec0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999137.913817", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "CreateThread", "EventUID": "0x9a00", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc28e7bdc", "ReturnValue": "0x1cc", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x7ffbc2927ec0", "Arg3=0x1d073077f20", "Arg4=0x1d000000000", "Arg5=0x6f9afdf4c0", "Arg6=0x6f9afdf4f0", "Arg7=0x6f9afdf4c0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.940128", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x9b64", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7dd8a", "ReturnValue": "0x1ba2d6a0bf0", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffffe", "Arg2=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.948190", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x9bd2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7dd8a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffffe", "Arg2=0x1ba2d6a0bb0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.949332", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x9be0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6ff598", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.950140", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x9be8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6ff598", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.952227", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x9bfc", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6ff598", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.994587", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x9ddf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6ff528", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.995379", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x9de7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6ff528", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999137.997364", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0x9dfe", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6ff528", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.007843", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0x9e8c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x667e6ffa60:\"uxtheme.dll\"", "Arg3=0x667e6ffaa8"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.037093", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0x9fe6", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7dd8a", "ReturnValue": "0x1ba2d6a0bb0", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffffe", "Arg2=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.041915", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xa024", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7dd8a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffffe", "Arg2=0x1ba2d6a0bb0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WindowsShell.Manifest", "DllBase": "0x1ba2d5f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.079873", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xa1ac", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa03bbc", "ReturnValue": "0x1", "Arguments": ["Arg0=0x1022", "Arg1=0x0", "Arg2=0x7ffbbabce7d0", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.080385", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xa1b0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6feaf0:\"LPK\"", "Arg3=0x667e6feb10"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.080788", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xa1b3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6feaf0:\"GDI32\"", "Arg3=0x667e6feb10"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.081606", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xa1be", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e6ff4c0:\"comctl32\"", "Arg3=0x667e6ff508"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.084737", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xa1e3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7e927", "ReturnValue": "0x1", "Arguments": ["Arg0=0x42", "Arg1=0x10", "Arg2=0x667e6ff4e0", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.112118", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xa38f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6fefa8", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.112942", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xa397", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6fefa8", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.114508", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xa3ab", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6fefa8", "Arg3=0x0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\SHCore.dll", "DllBase": "0x7ffbc2710000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999138.205042", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xa88f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbab43c094", "ReturnValue": "0x20", "Arguments": ["Arg0=0xb"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.205524", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xa892", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbab43c05b", "ReturnValue": "0x20", "Arguments": ["Arg0=0xb"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.205957", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xa895", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbab43c079", "ReturnValue": "0x20", "Arguments": ["Arg0=0xb"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.206418", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xa899", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbab43c035", "ReturnValue": "0x20", "Arguments": ["Arg0=0xc"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.206830", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xa89c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbab43c019", "ReturnValue": "0x20", "Arguments": ["Arg0=0xb"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.207299", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xa8a0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbab43c035", "ReturnValue": "0x20", "Arguments": ["Arg0=0xb"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.208543", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0xa8ad", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x2009", "Arg1=0x0", "Arg2=0x6f9b6fdc40:\"C:\\\\Windows\\\\System32\\\\thumbcache.dll\"", "Arg3=0x6f9b6fdc88"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\thumbcache.dll", "DllBase": "0x7ffbab420000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999138.209940", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xa8b9", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x6f9b6fe210:\"combase.dll\"", "Arg3=0x6f9b6fe230"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dwmapi.dll", "DllBase": "0x7ffbbee50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\propsys.dll", "DllBase": "0x7ffbbcd00000", "PID": 5388}
+{"Plugin": "apimon", "TimeStamp": "1716999138.286417", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowsHookExW", "EventUID": "0xac6e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b8f30a1", "ReturnValue": "0x6a02b3", "Arguments": ["Arg0=0xffffffff", "Arg1=0x7ff74b973d10", "Arg2=0x0", "Arg3=0x126c"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.300031", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "LdrLoadDll", "EventUID": "0xacfb", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x2009", "Arg1=0x0", "Arg2=0x6f9b6fc930:\"C:\\\\Windows\\\\system32\\\\propsys.dll\"", "Arg3=0x6f9b6fc978"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcss.dll", "DllBase": "0x1ba2f940000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.457286", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xb4dc", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe970:\"C:\\\\Windows\\\\system32\\\\rpcss.dll\"", "Arg3=0x667e6fe9a0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\kernel.appcore.dll", "DllBase": "0x7ffbbe920000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.518283", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0xb6dc", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc17df10d", "ReturnValue": "0x1", "Arguments": ["Arg0=0x200", "Arg1=0x390008", "Arg2=0x0", "Arg3=0x0", "Arg4=0x667e6fd968", "Arg5=0x6600000030", "Arg6=0x667e6fd948", "Arg7=0x0", "Arg8=0x0", "Arg9=0x7ffbc17d83a4"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.527109", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xb740", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7ff31", "ReturnValue": "0x0", "Arguments": ["Arg0=0x70322", "Arg1=0xfffffffe", "Arg2=0xffffffffffffffff"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.529108", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateWindowExW", "EventUID": "0xb758", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc290fd57", "ReturnValue": "0x70322", "Arguments": ["Arg0=0x0", "Arg1=0xc03c:\"\"", "Arg2=0x7ffbc2ad0348:\"OleMainThreadWndName\"", "Arg3=0x88000000", "Arg4=0x1480000000", "Arg5=0x7ffb80000000", "Arg6=0x80000000", "Arg7=0x80000000", "Arg8=0xfffffffffffffffd", "Arg9=0x0", "Arg10=0x7ffbc2840000", "Arg11=0x0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.545379", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xb82e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc34384ce", "ReturnValue": "0x0", "Arguments": ["Arg0=0x2000"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.558074", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xb8d9", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7ff31", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9030a", "Arg1=0xfffffffe", "Arg2=0xffffffffffffffff"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.560982", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateWindowExW", "EventUID": "0xb900", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc342b378", "ReturnValue": "0x9030a", "Arguments": ["Arg0=0x0", "Arg1=0x7ffbc34efa88:\"CicMarshalWndClass\"", "Arg2=0x7ffbc34efab0:\"CicMarshalWnd\"", "Arg3=0x88000000", "Arg4=0x7ffb00000000", "Arg5=0x0", "Arg6=0x6600000000", "Arg7=0x0", "Arg8=0xfffffffffffffffd", "Arg9=0x0", "Arg10=0x7ffbc3410000", "Arg11=0x0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.564701", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xb930", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e6fcb60:\"rpcrt4.dll\"", "Arg3=0x667e6fcba8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.607739", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xbb63", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe0f0:\"ntdll.dll\"", "Arg3=0x667e6fe110"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ws2_32.dll", "DllBase": "0x7ffbc27c0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntmarta.dll", "DllBase": "0x7ffbc0150000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreUIComponents.dll", "DllBase": "0x7ffbbe390000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"WSAStartup": 60176, "getaddrinfo": 14096, "GetAddrInfoW": 23328, "gethostname": 157920, "gethostbyname": 157392, "socket": 22000, "connect": 72272, "send": 8992, "sendto": 71520, "recv": 73104, "recvfrom": 81312, "accept": 70496, "bind": 68032, "listen": 70304, "select": 71104, "setsockopt": 69792, "ioctlsocket": 20960, "closesocket": 20480, "shutdown": 72896, "WSAAccept": 70528, "WSAConnect": 196912, "WSAConnectByNameW": 199808, "WSAConnectByList": 197216, "WSARecv": 66816, "WSARecvFrom": 80976, "WSASend": 8032, "WSASendTo": 190384, "WSASendMsg": 21024, "WSASocketA": 81936, "WSASocketW": 22192}, "DllBase": "0x7ffbc27c0000", "DllName": "\\Windows\\System32\\ws2_32.dll", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\WinTypes.dll", "DllBase": "0x7ffbbdc50000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\oleaut32.dll", "DllBase": "0x7ffbc3340000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.723605", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xc010", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe750:\"ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll\"", "Arg3=0x667e6fe770"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.731883", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xc026", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e6fe5d0:\"ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll\"", "Arg3=0x667e6fe618"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.732775", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xc02d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe4b0:\"ntdll.dll\"", "Arg3=0x667e6fe4d0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.746356", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xc0d4", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7ff31", "ReturnValue": "0x0", "Arguments": ["Arg0=0x900d8", "Arg1=0xfffffffe", "Arg2=0xfffffffffffffffe"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.748501", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateWindowExW", "EventUID": "0xc0ec", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbe72dfdf", "ReturnValue": "0x900d8", "Arguments": ["Arg0=0x0", "Arg1=0x7ffbbe78a158:\"UserAdapterWindowClass\"", "Arg2=0x0:\"\"", "Arg3=0x0", "Arg4=0x6600000000", "Arg5=0x1ba00000000", "Arg6=0x1ba00000000", "Arg7=0x1ba00000000", "Arg8=0xfffffffffffffffd", "Arg9=0x0", "Arg10=0x7ffbbe6f0000", "Arg11=0x0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.750263", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xc0fd", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbe72e218", "ReturnValue": "0x0", "Arguments": ["Arg0=0x900d8", "Arg1=0x0", "Arg2=0x1ba2bfd6790"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.752237", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xc111", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e6fe4d0:\"ext-ms-win-rtcore-ntuser-integration-l1-1-0.dll\"", "Arg3=0x667e6fe518"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.758230", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xc149", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x667e6fe340:\"api-ms-win-core-com-l1-1-0.dll\"", "Arg3=0x667e6fe388"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.774585", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xc216", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe5a0:\"ntdll.dll\"", "Arg3=0x667e6fe5c0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\TextInputFramework.dll", "DllBase": "0x7ffbba2b0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msctf.dll", "DllBase": "0x7ffbc3410000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.796081", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xc320", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe9c0:\"iertutil.dll\"", "Arg3=0x667e6fe9e0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.822076", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xc45a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fd660:\"USER32\"", "Arg3=0x667e6fd680"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.840112", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xc541", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbed7ff31", "ReturnValue": "0x0", "Arguments": ["Arg0=0xa0242", "Arg1=0xfffffffe", "Arg2=0xffffffffffffffff"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.842103", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xc559", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc34256b3", "ReturnValue": "0x0", "Arguments": ["Arg0=0xa0242", "Arg1=0x8", "Arg2=0x1ba2dcd5a40"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.843314", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "CreateWindowExW", "EventUID": "0xc567", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc31a85ff", "ReturnValue": "0xa0242", "Arguments": ["Arg0=0x0", "Arg1=0x667e6fe434:\"MSCTFIME UI\"", "Arg2=0x667e6fe434:\"MSCTFIME UI\"", "Arg3=0x88000000", "Arg4=0x1ba00000000", "Arg5=0x100000000", "Arg6=0x312700000000", "Arg7=0x700000000", "Arg8=0x70354", "Arg9=0x0", "Arg10=0x0", "Arg11=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999138.848762", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xc5b1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fe830:\"combase.dll\"", "Arg3=0x667e6fe850"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\clbcatq.dll", "DllBase": "0x7ffbc2fb0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\combase.dll", "DllBase": "0x7ffbc2840000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999138.982882", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xcb4a", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x2009", "Arg1=0x0", "Arg2=0x667e6fd050:\"C:\\\\Windows\\\\System32\\\\msctf.dll\"", "Arg3=0x667e6fd098"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.036313", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xce2b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x2009", "Arg1=0x0", "Arg2=0x667e6fd050:\"C:\\\\Windows\\\\system32\\\\msctf.dll\"", "Arg3=0x667e6fd098"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.039323", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xce49", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9", "Arg1=0x0", "Arg2=0x667e6ff2d0:\"C:\\\\Windows\\\\System32\\\\MSCTF.dll\"", "Arg3=0x667e6ff318"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.259229", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xd909", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa14f6d", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x7ffbbabcd438", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.259935", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xd910", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa14f88", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x7ffbbabcd43c", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.260349", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xd913", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa14f99", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1000"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.261085", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xd91b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa14fbd", "ReturnValue": "0x1", "Arguments": ["Arg0=0x26", "Arg1=0x4", "Arg2=0x7ffbbabcd440", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.262023", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xd923", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa14fda", "ReturnValue": "0x1", "Arguments": ["Arg0=0x103e", "Arg1=0x0", "Arg2=0x7ffbbabcd44c", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.262773", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xd92b", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa14ff7", "ReturnValue": "0x1", "Arguments": ["Arg0=0x1042", "Arg1=0x0", "Arg2=0x7ffbbabcd450", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.263550", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xd933", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa15012", "ReturnValue": "0x1", "Arguments": ["Arg0=0x1b", "Arg1=0x0", "Arg2=0x7ffbbabcd444", "Arg3=0x0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll", "DllBase": "0x7ffbba9a0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999139.265873", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xd93f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fee40:\"ntdll.dll\"", "Arg3=0x667e6fee60"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999139.328576", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xdc84", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa15452", "ReturnValue": "0x2", "Arguments": ["Arg0=0x2d"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.328985", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xdc86", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa1546d", "ReturnValue": "0x2", "Arguments": ["Arg0=0x2e"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.332370", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrGetDllHandle", "EventUID": "0xdcaa", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x667e6fef60:\"ntdll.dll\"", "Arg3=0x667e6fef80"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\apppatch\\sysmain.sdb", "DllBase": "0x7df4f96c0000", "PID": 3888}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999139.365887", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xde55", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa12378", "ReturnValue": "0x14ff0000", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffff0", "Arg2=0x14df0000"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.381954", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xdf04", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa123b0", "ReturnValue": "0x14df0000", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffff0", "Arg2=0x14ff0000"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.413152", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xe02d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa123f4", "ReturnValue": "0x14ff0000", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffff0", "Arg2=0x14ff0000"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.484692", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xe3bc", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d968", "ReturnValue": "0x1", "Arguments": ["Arg0=0x68", "Arg1=0x0", "Arg2=0x667e6ff478", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.488562", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xe3c3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d938", "ReturnValue": "0x1", "Arguments": ["Arg0=0x6c", "Arg1=0x0", "Arg2=0x667e6ff478", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.491383", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SystemParametersInfoW", "EventUID": "0xe3e2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90d86a", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2006", "Arg1=0x0", "Arg2=0x667e6ff478", "Arg3=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.511089", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongPtrW", "EventUID": "0xe4ec", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbbaa12378", "ReturnValue": "0x14ef0000", "Arguments": ["Arg0=0x80324", "Arg1=0xfffffff0", "Arg2=0x14ef0000"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999139.601240", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0xe93e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0x0", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.602416", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "LdrLoadDll", "EventUID": "0xe947", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x4001", "Arg1=0x0", "Arg2=0x667e3bf2a0:\"ext-ms-win-ntuser-window-l1-1-0\"", "Arg3=0x667e3bf2e8"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999139.667555", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0xecd7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90bda8", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500033", "Arg2=0x0", "Arg3=0x0", "Arg4=0x0", "Arg5=0x7ff700000000", "Arg6=0x667e67ed10", "Arg7=0x0", "Arg8=0x0", "Arg9=0x7ff74b8f465c"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.669532", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0xece8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90bda8", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x50000b", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x0", "Arg5=0x0", "Arg6=0x667e67edd0", "Arg7=0x0", "Arg8=0x1ba2bd06650", "Arg9=0x7ff74b903d99"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.693922", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0xee20", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\CoreMessaging.dll", "DllBase": "0x7ffbbe6f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\conhost.exe", "DllBase": "0x7ff74b8f0000", "PID": 3564}
+{"Plugin": "apimon", "TimeStamp": "1716999139.733409", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0xf021", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.971323", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0xfc4d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]}
+{"Plugin": "apimon", "TimeStamp": "1716999139.973582", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0xfc69", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]}
+{"Plugin": "apimon", "TimeStamp": "1716999140.110701", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x1031e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x0", "Arg3=0x0", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999140.430995", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x114ec", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]}
+{"Plugin": "apimon", "TimeStamp": "1716999140.433106", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x11508", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"LdrLoadDll": 92688, "RtlCreateUserProcess": 924032, "DbgUiWaitStateChange": 838720, "RtlCreateUserThread": 352400, "LdrGetDllHandle": 92272, "LdrGetProcedureAddress": 531408, "RtlDecompressBuffer": 1005776, "RtlCompressBuffer": 534688}, "DllBase": "0x7ffbc3930000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntdll.dll", "DllBase": "0x7ffbc3930000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999140.678185", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x122cf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bec00:\"ntdll.dll\"", "Arg3=0x12bec20"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\KernelBase.dll", "DllBase": "0x7ffbc1010000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"LdrLoadDll": 92688, "RtlCreateUserProcess": 924032, "DbgUiWaitStateChange": 838720, "RtlCreateUserThread": 352400, "LdrGetDllHandle": 92272, "LdrGetProcedureAddress": 531408, "RtlDecompressBuffer": 1005776, "RtlCompressBuffer": 534688}, "DllBase": "0x7ffbc3930000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 5228}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntdll.dll", "DllBase": "0x7ffbc3930000", "PID": 5228}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\apphelp.dll", "DllBase": "0x7ffbbe940000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\apphelp.dll", "DllBase": "0x7ffbbe940000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\apphelp.dll", "DllBase": "0x7ffbbe940000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999140.822266", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x12ac9", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12be9f0:\"ntdll.dll\"", "Arg3=0x12bea38"]}
+{"Plugin": "apimon", "TimeStamp": "1716999140.824198", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x12ae0", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bec20:\"api-ms-win-eventing-provider-l1-1-0.dll\"", "Arg3=0x12bec50"]}
+{"Plugin": "apimon", "TimeStamp": "1716999140.829119", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x12b1c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bec90:\"ntdll.dll\"", "Arg3=0x12becb0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\apppatch\\sysmain.sdb", "DllBase": "0x7ff4fdaa0000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999140.961902", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x132f2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]}
+{"Plugin": "apimon", "TimeStamp": "1716999140.963329", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x13306", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]}
+{"Plugin": "apimon", "TimeStamp": "1716999140.969008", "PID": 5228, "PPID": 772, "TID": 1756, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1335f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fad7f220:\"oleaut32.dll\"", "Arg3=0x86fad7f240"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\Desktop\\malware.exe", "DllBase": "0x400000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\advapi32.dll", "DllBase": "0x7ffbc36c0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"CryptAcquireContextA": 94000, "CryptAcquireContextW": 94320, "RegOpenKeyExA": 93568, "RegOpenKeyExW": 90080, "RegCreateKeyExA": 96544, "RegCreateKeyExW": 93184, "RegDeleteKeyA": 16528, "RegDeleteKeyW": 93216, "RegEnumKeyW": 91296, "RegEnumKeyExA": 16624, "RegEnumKeyExW": 88560, "RegEnumValueA": 202176, "RegEnumValueW": 91968, "RegSetValueExA": 16704, "RegSetValueExW": 94080, "RegQueryValueExA": 93872, "RegQueryValueExW": 90048, "RegDeleteValueA": 17456, "RegDeleteValueW": 104080, "RegQueryInfoKeyA": 17056, "RegQueryInfoKeyW": 90624, "RegCloseKey": 92048, "RegNotifyChangeKeyValue": 96864, "CreateProcessWithLogonW": 304352, "CreateProcessWithTokenW": 17488, "InitiateShutdownW": 104112, "InitiateSystemShutdownW": 281520, "InitiateSystemShutdownExW": 290480, "LookupPrivilegeValueW": 63856, "GetCurrentHwProfileW": 94368, "GetUserNameA": 304480, "GetUserNameW": 91376, "LsaOpenPolicy": 113712, "SaferIdentifyLevel": 46944, "OpenSCManagerA": 97648, "OpenSCManagerW": 96448, "CreateServiceA": 197216, "CreateServiceW": 197360, "OpenServiceA": 201664, "OpenServiceW": 96992, "StartServiceA": 203056, "StartServiceW": 119584, "ControlService": 196960, "DeleteService": 199648, "CryptDecrypt": 198880, "CryptEncrypt": 199008, "CryptHashData": 93120, "CryptDecryptMessage": 198880, "CryptEncryptMessage": 199008, "CryptExportKey": 91904, "CryptGenKey": 199168, "CryptCreateHash": 92080, "CryptEnumProvidersA": 199104, "CryptEnumProvidersW": 199136}, "DllBase": "0x7ffbc36c0000", "DllName": "\\Windows\\System32\\advapi32.dll", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcrt.dll", "DllBase": "0x7ffbc2c30000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"system": 97872}, "DllBase": "0x7ffbc2c30000", "DllName": "\\Windows\\System32\\msvcrt.dll", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\crypt32.dll", "DllBase": "0x7ffbc1360000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"CryptDecodeObjectEx": 136000, "CryptImportPublicKeyInfo": 23040}, "DllBase": "0x7ffbc1360000", "DllName": "\\Windows\\System32\\crypt32.dll", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\psapi.dll", "DllBase": "0x7ffbc3890000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\psapi.dll", "DllBase": "0x7ffbc3890000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\user32.dll", "DllBase": "0x7ffbc31a0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rpcrt4.dll", "DllBase": "0x7ffbc3590000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\sechost.dll", "DllBase": "0x7ffbc37f0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ucrtbase.dll", "DllBase": "0x7ffbc14c0000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.084533", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x13930", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f360:\"ntdll.dll\"", "Arg3=0x86fa68f380"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.095996", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x139a8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc1064d96", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f940:\"mscoree.dll\"", "Arg3=0x86fa68f970"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\IPHLPAPI.DLL", "DllBase": "0x7ffbc03e0000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.097339", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x139b3", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f530:\"ntdll.dll\"", "Arg3=0x86fa68f550"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\IPHLPAPI.DLL", "DllBase": "0x7ffbc03e0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\IPHLPAPI.DLL", "DllBase": "0x7ffbc03e0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\psapi.dll", "DllBase": "0x7ffbc3890000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\IPHLPAPI.DLL", "DllBase": "0x7ffbc03e0000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.101339", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x139df", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f520:\"ntdll.dll\"", "Arg3=0x86fa68f540"]}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"CreateWindowExA": 15376, "CreateWindowExW": 30496, "FindWindowA": 503872, "FindWindowW": 144880, "FindWindowExA": 12368, "FindWindowExW": 155376, "SendNotifyMessageA": 199568, "SendNotifyMessageW": 168848, "SetWindowLongA": 182352, "SetWindowLongW": 69392, "SetWindowLongPtrA": 182448, "SetWindowLongPtrW": 47040, "SetWindowsHookExA": 324864, "SetWindowsHookExW": 176832, "UnhookWindowsHookEx": 176672, "ExitWindowsEx": 180000, "GetSystemMetrics": 134848, "GetCursorPos": 163136, "GetAsyncKeyState": 147152, "SystemParametersInfoA": 166592, "SystemParametersInfoW": 144208, "GetLastInputInfo": 158240, "MsgWaitForMultipleObjectsEx": 132960}, "DllBase": "0x7ffbc31a0000", "DllName": "\\Windows\\System32\\user32.dll", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.106009", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x13a06", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f570:\"ntdll.dll\"", "Arg3=0x86fa68f590"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\win32u.dll", "DllBase": "0x7ffbc1960000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.112468", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x13a3c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f550:\"ntdll.dll\"", "Arg3=0x86fa68f570"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.113732", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x13a48", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f590:\"ntdll.dll\"", "Arg3=0x86fa68f5b0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.115849", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x13a5d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f530:\"ntdll.dll\"", "Arg3=0x86fa68f550"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ws2_32.dll", "DllBase": "0x7ffbc27c0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"WSAStartup": 60176, "getaddrinfo": 14096, "GetAddrInfoW": 23328, "gethostname": 157920, "gethostbyname": 157392, "socket": 22000, "connect": 72272, "send": 8992, "sendto": 71520, "recv": 73104, "recvfrom": 81312, "accept": 70496, "bind": 68032, "listen": 70304, "select": 71104, "setsockopt": 69792, "ioctlsocket": 20960, "closesocket": 20480, "shutdown": 72896, "WSAAccept": 70528, "WSAConnect": 196912, "WSAConnectByNameW": 199808, "WSAConnectByList": 197216, "WSARecv": 66816, "WSARecvFrom": 80976, "WSASend": 8032, "WSASendTo": 190384, "WSASendMsg": 21024, "WSASocketA": 81936, "WSASocketW": 22192}, "DllBase": "0x7ffbc27c0000", "DllName": "\\Windows\\System32\\ws2_32.dll", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\msvcp_win.dll", "DllBase": "0x7ffbc1850000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32full.dll", "DllBase": "0x7ffbc15c0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\userenv.dll", "DllBase": "0x7ffbc0ec0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\userenv.dll", "DllBase": "0x7ffbc0ec0000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.213958", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x13f83", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f530:\"ntdll.dll\"", "Arg3=0x86fa68f550"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.228126", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1403d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f580:\"ntdll.dll\"", "Arg3=0x86fa68f5a0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.230280", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x14058", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f530:\"ntdll.dll\"", "Arg3=0x86fa68f550"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.232173", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x14071", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f530:\"ntdll.dll\"", "Arg3=0x86fa68f550"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.241203", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x140ea", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f530:\"ntdll.dll\"", "Arg3=0x86fa68f550"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.248274", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1414f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f540:\"ntdll.dll\"", "Arg3=0x86fa68f560"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.251119", "PID": 5228, "PPID": 772, "TID": 5224, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe", "Method": "LdrGetDllHandle", "EventUID": "0x14177", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x86fa68f570:\"ntdll.dll\"", "Arg3=0x86fa68f590"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\userenv.dll", "DllBase": "0x7ffbc0ec0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\Desktop\\malware.exe", "DllBase": "0x400000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\userenv.dll", "DllBase": "0x7ffbc0ec0000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.303682", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x14432", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf1b0:\"api-ms-win-core-synch-l1-2-0\"", "Arg3=0x12bf1f8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.356163", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x145af", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf1b0:\"api-ms-win-core-fibers-l1-1-1\"", "Arg3=0x12bf1f8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.359149", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x145ca", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf200:\"api-ms-win-core-fibers-l1-1-1\"", "Arg3=0x12bf248"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.360291", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x145da", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf200:\"api-ms-win-core-synch-l1-2-0\"", "Arg3=0x12bf248"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.363632", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x1460d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12be630:\"api-ms-win-core-localization-l1-2-1\"", "Arg3=0x12be678"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.368002", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x14651", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf120:\"kernel32\"", "Arg3=0x12bf168"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.369879", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x1466e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf120:\"api-ms-win-core-string-l1-1-0\"", "Arg3=0x12bf168"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.373056", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x146a1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf120:\"api-ms-win-core-datetime-l1-1-1\"", "Arg3=0x12bf168"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.380641", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x1471e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf120:\"api-ms-win-core-localization-obsolete-l1-2-0\"", "Arg3=0x12bf168"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.385032", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x14764", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bf2d0:\"gdi32full.dll\"", "Arg3=0x12bf2f0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x180000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.421212", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1496f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0xc0000135", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12be950:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x12be970"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\imm32.dll", "DllBase": "0x7ffbc38a0000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.428343", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x149bf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bddf0:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x12bde10"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.495052", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x14db1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.496679", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x14dc5", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.596598", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x153d2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x9", "Arg1=0x0", "Arg2=0x12be940:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x12be988"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.597099", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x153d6", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bebd0:\"C:\\\\Windows\\\\system32\\\\IMM32.DLL\"", "Arg3=0x12bebf0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.613009", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x154d2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12be820:\"gdi32.dll\"", "Arg3=0x12be840"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\gdi32.dll", "DllBase": "0x7ffbc2c00000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db", "DllBase": "0xe590000", "PID": 3888}
+{"Plugin": "apimon", "TimeStamp": "1716999141.658378", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x15751", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12be9e0:\"ntdll.dll\"", "Arg3=0x12bea00"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.684948", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x158bd", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x12bfa30:\"kernel32.dll\"", "Arg3=0x12bfa78"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.686136", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x158c2", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf9f0:\"advapi32.dll\"", "Arg3=0x12bfa38"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\cryptbase.dll", "DllBase": "0x7ffbc08e0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\cryptbase.dll", "DllBase": "0x7ffbc08e0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\cryptbase.dll", "DllBase": "0x7ffbc08e0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\cryptbase.dll", "DllBase": "0x7ffbc08e0000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.702845", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x159aa", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf9f0:\"ntdll.dll\"", "Arg3=0x12bfa38"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\winmm.dll", "DllBase": "0x7ffbae1c0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"timeGetTime": 12688}, "DllBase": "0x7ffbae1c0000", "DllName": "\\Windows\\System32\\winmm.dll", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.710688", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x15a15", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf9f0:\"winmm.dll\"", "Arg3=0x12bfa38"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.711124", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x15a18", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bf9f0:\"ws2_32.dll\"", "Arg3=0x12bfa38"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db", "DllBase": "0x3130000", "PID": 3888}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\bcryptprimitives.dll", "DllBase": "0x7ffbc17c0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\cryptbase.dll", "DllBase": "0x7ffbc08e0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\cryptbase.dll", "DllBase": "0x7ffbc08e0000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999141.777834", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x15d35", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.802227", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x15e7c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.810547", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x15ee7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.848461", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x160db", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bfca0:\"kernel32.dll\"", "Arg3=0x12bfce8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.854424", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x16125", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bfca0:\"ws2_32.dll\"", "Arg3=0x12bfce8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999141.949151", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x16132", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db", "DllBase": "0x2920000", "PID": 3888}
+{"Plugin": "apimon", "TimeStamp": "1716999142.029092", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x16569", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]}
+{"Plugin": "apimon", "TimeStamp": "1716999142.030748", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x1657e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]}
+{"Plugin": "apimon", "TimeStamp": "1716999142.073312", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "WSAStartup", "EventUID": "0x167cf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x45be1e", "ReturnValue": "0x0", "Arguments": ["Arg0=0x202", "Arg1=0xc00002fcc8"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\mswsock.dll", "DllBase": "0x40b0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-US\\mswsock.dll.mui", "DllBase": "0x13f0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\mswsock.dll", "DllBase": "0x40b0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-US\\mswsock.dll.mui", "DllBase": "0x13f0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\wshqos.dll", "DllBase": "0x13f0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-US\\wshqos.dll.mui", "DllBase": "0x1400000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\wshqos.dll", "DllBase": "0x13f0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-US\\wshqos.dll.mui", "DllBase": "0x1400000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999142.173880", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x16d41", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999142.196793", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x16e69", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999142.212138", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x16f2e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999142.218237", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x16f7c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x12bfca0:\"kernel32.dll\"", "Arg3=0x12bfce8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999142.229418", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x17006", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x12bfca0:\"kernel32.dll\"", "Arg3=0x12bfce8"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db", "DllBase": "0xea00000", "PID": 3888}
+{"Plugin": "apimon", "TimeStamp": "1716999142.547197", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x17f94", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]}
+{"Plugin": "apimon", "TimeStamp": "1716999142.548712", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x17fa8", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]}
+{"Plugin": "apimon", "TimeStamp": "1716999142.947540", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrGetDllHandle", "EventUID": "0x18ca1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x12bfb50:\"ntdll.dll\"", "Arg3=0x12bfb70"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\tzres.dll", "DllBase": "0x4610000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-GB\\tzres.dll.mui", "DllBase": "0x4620000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\tzres.dll", "DllBase": "0x4610000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\en-GB\\tzres.dll.mui", "DllBase": "0x4620000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999143.020900", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x19035", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\mswsock.dll", "DllBase": "0x7ffbc06f0000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999143.092685", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x1940e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.098779", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x19427", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"TransmitFile": 164976, "NSPStartup": 49312}, "DllBase": "0x7ffbc06f0000", "DllName": "\\Windows\\System32\\mswsock.dll", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999143.129325", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x195c1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x12bf1a0:\"C:\\\\Windows\\\\system32\\\\mswsock.dll\"", "Arg3=0x12bf1e8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.142800", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "WSASocketW", "EventUID": "0x1965d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27c565e", "ReturnValue": "0x1ac", "Arguments": ["Arg0=0x2", "Arg1=0x2", "Arg2=0x0", "Arg3=0x0", "Arg4=0x0", "Arg5=0x1"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.143041", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "socket", "EventUID": "0x1965f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27c2d42", "ReturnValue": "0x1ac", "Arguments": ["Arg0=0x2", "Arg1=0x2", "Arg2=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.143623", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "closesocket", "EventUID": "0x19666", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27c2d5a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1ac"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.144430", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x19670", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x12bf1a0:\"C:\\\\Windows\\\\system32\\\\mswsock.dll\"", "Arg3=0x12bf1e8"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ClipSVC.dll", "DllBase": "0x7ffbb84e0000", "PID": 1552}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ClipSVC.dll", "DllBase": "0x7ffbb84e0000", "PID": 1552}
+{"Plugin": "apimon", "TimeStamp": "1716999143.167972", "PID": 4852, "PPID": 3888, "TID": 5312, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x1979c", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x801", "Arg1=0x0", "Arg2=0x460fd70:\"advapi32.dll\"", "Arg3=0x460fdb8"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.169796", "PID": 4852, "PPID": 3888, "TID": 5312, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "RegOpenKeyExW", "EventUID": "0x197b4", "Event": "api_called", "CLSID": null, "CalledFrom": "0x45be1e", "ReturnValue": "0x2", "Arguments": ["Arg0=0x80000001", "Arg1=0xc000110000:\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\"", "Arg2=0x0", "Arg3=0x20006", "Arg4=0xc0000c1e38"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.170605", "PID": 4852, "PPID": 3888, "TID": 5312, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "RegOpenKeyExW", "EventUID": "0x197bf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x45be1e", "ReturnValue": "0x2", "Arguments": ["Arg0=0x80000001", "Arg1=0xc000110080:\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\"", "Arg2=0x0", "Arg3=0x20006", "Arg4=0xc0000c1e38"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.171411", "PID": 4852, "PPID": 3888, "TID": 5312, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "RegOpenKeyExW", "EventUID": "0x197c9", "Event": "api_called", "CLSID": null, "CalledFrom": "0x45be1e", "ReturnValue": "0x2", "Arguments": ["Arg0=0x80000001", "Arg1=0xc000110100:\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\"", "Arg2=0x0", "Arg3=0x20006", "Arg4=0xc0000c1e38"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.207557", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "WSASocketW", "EventUID": "0x199be", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27c565e", "ReturnValue": "0x1ac", "Arguments": ["Arg0=0x17", "Arg1=0x2", "Arg2=0x0", "Arg3=0x0", "Arg4=0x0", "Arg5=0x1"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.207664", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "socket", "EventUID": "0x199bf", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27c2d69", "ReturnValue": "0x1ac", "Arguments": ["Arg0=0x17", "Arg1=0x2", "Arg2=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.208344", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "closesocket", "EventUID": "0x199c7", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27c2d81", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1ac"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.209404", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x199d4", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x12be990:\"C:\\\\Windows\\\\System32\\\\mswsock.dll\"", "Arg3=0x12be9d8"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\dnsapi.dll", "DllBase": "0x7ffbc0420000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"DnsQuery_A": 346992, "DnsQuery_UTF8": 153328, "DnsQuery_W": 33872}, "DllBase": "0x7ffbc0420000", "DllName": "\\Windows\\System32\\dnsapi.dll", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\nsi.dll", "DllBase": "0x7ffbc2830000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\nsi.dll", "DllBase": "0x7ffbc2830000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\nsi.dll", "DllBase": "0x7ffbc2830000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\IPHLPAPI.DLL", "DllBase": "0x7ffbc03e0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\IPHLPAPI.DLL", "DllBase": "0x7ffbc03e0000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\ntdll.dll", "DllBase": "0x7ffbc3930000", "PID": 1552}
+{"Plugin": "apimon", "Event": "dll_loaded", "Rva": {"LdrLoadDll": 92688, "RtlCreateUserProcess": 924032, "DbgUiWaitStateChange": 838720, "RtlCreateUserThread": 352400, "LdrGetDllHandle": 92272, "LdrGetProcedureAddress": 531408, "RtlDecompressBuffer": 1005776, "RtlCompressBuffer": 534688}, "DllBase": "0x7ffbc3930000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 1552}
+{"Plugin": "apimon", "TimeStamp": "1716999143.277753", "PID": 1552, "PPID": 636, "TID": 3028, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x19c92", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x9048b7f560:\"oleaut32.dll\"", "Arg3=0x9048b7f580"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.298086", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "NSPStartup", "EventUID": "0x19d4f", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc27d0119", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1435980", "Arg1=0x1439b10"]}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rasadhlp.dll", "DllBase": "0x7ffbb9030000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rasadhlp.dll", "DllBase": "0x7ffbb9030000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rasadhlp.dll", "DllBase": "0x7ffbb9030000", "PID": 4852}
+{"Plugin": "apimon", "Event": "dll_discovered", "DllName": "\\Windows\\System32\\rasadhlp.dll", "DllBase": "0x7ffbb9030000", "PID": 4852}
+{"Plugin": "apimon", "TimeStamp": "1716999143.310556", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x19dd9", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x12bee00:\"C:\\\\Windows\\\\System32\\\\rasadhlp.dll\"", "Arg3=0x12bee48"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.336045", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x19f0e", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.387727", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x1a190", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.415438", "PID": 4852, "PPID": 3888, "TID": 3788, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "LdrLoadDll", "EventUID": "0x1a2f1", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc10456b2", "ReturnValue": "0x0", "Arguments": ["Arg0=0x1", "Arg1=0x0", "Arg2=0x3ead930:\"rpcrt4.dll\"", "Arg3=0x3ead978"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.459916", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "DeviceIoControl", "EventUID": "0x1a535", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b900560", "ReturnValue": "0x1", "Arguments": ["Arg0=0x4", "Arg1=0x500006", "Arg2=0x667e67f930", "Arg3=0x28", "Arg4=0x667e67f988", "Arg5=0x90", "Arg6=0x667e67f910", "Arg7=0x0", "Arg8=0x0", "Arg9=0x0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.613919", "PID": 4852, "PPID": 3888, "TID": 3788, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "GetAddrInfoW", "EventUID": "0x1ad0d", "Event": "api_called", "CLSID": null, "CalledFrom": "0x45be1e", "ReturnValue": "0x2af9", "Arguments": ["Arg0=0xc00000e500", "Arg1=0x0", "Arg2=0xc000101f30", "Arg3=0xc000101ea0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.617584", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x1ad34", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.626741", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x1ad50", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]}
+{"Plugin": "apimon", "TimeStamp": "1716999143.687911", "PID": 4852, "PPID": 3888, "TID": 6020, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe", "Method": "GetAddrInfoW", "EventUID": "0x1b059", "Event": "api_called", "CLSID": null, "CalledFrom": "0x45be1e", "ReturnValue": "0x2af9", "Arguments": ["Arg0=0xc00000c330", "Arg1=0x0", "Arg2=0xc0000c5f30", "Arg3=0xc0000c5ea0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999144.118963", "PID": 1552, "PPID": 636, "TID": 1556, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1c169", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x9048a7eae0:\"ntdll.dll\"", "Arg3=0x9048a7eb00"]}
+{"Plugin": "apimon", "TimeStamp": "1716999144.155373", "PID": 3564, "PPID": 4852, "TID": 3176, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "GetSystemMetrics", "EventUID": "0x1c173", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90c990", "ReturnValue": "0x1", "Arguments": ["Arg0=0x2002"]}
+{"Plugin": "apimon", "TimeStamp": "1716999144.160033", "PID": 3564, "PPID": 4852, "TID": 6444, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "SetWindowLongW", "EventUID": "0x1c189", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ff74b90ae24", "ReturnValue": "0xc0c0c", "Arguments": ["Arg0=0x80324", "Arg1=0x8", "Arg2=0xc0c0c"]}
+{"Plugin": "apimon", "TimeStamp": "1716999144.199018", "PID": 1552, "PPID": 636, "TID": 1556, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1c2c6", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x9048a7eaa0:\"ntdll.dll\"", "Arg3=0x9048a7eac0"]}
+{"Plugin": "apimon", "TimeStamp": "1716999144.203658", "PID": 1552, "PPID": 636, "TID": 1556, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "LdrGetDllHandle", "EventUID": "0x1c2de", "Event": "api_called", "CLSID": null, "CalledFrom": "0x7ffbc103e76a", "ReturnValue": "0x0", "Arguments": ["Arg0=0x0", "Arg1=0x0", "Arg2=0x9048a7eb20:\"ntdll.dll\"", "Arg3=0x9048a7eb40"]}
+{"Plugin": "syscall", "TimeStamp": "1716999134.579643", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCDword", "EventUID": "0x16", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 63, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.580389", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x17", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionInformation": "0xfffff506a0284040", "Count": "0x1", "NumEntriesRemoved": "0xfffff506a0284070", "Timeout": "0xfffff506a0284078", "Alertable": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.580630", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAssociateWaitCompletionPacket", "EventUID": "0x19", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 144, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.581122", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x1c", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.581251", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x1d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionReserveHandle": "0xffffffff8000188c", "KeyContext": "0x0", "ApcContext": "0x2", "IoStatus": "0x0", "IoStatusInformation": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.581449", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x1f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionInformation": "0xfffff506a0284898", "Count": "0x1", "NumEntriesRemoved": "0xfffff506a02846bc", "Timeout": "0xfffff506a02846d8", "Alertable": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.581640", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x21", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionInformation": "0xfffff506a0284898", "Count": "0x1", "NumEntriesRemoved": "0xfffff506a02846bc", "Timeout": "0xfffff506a02846d8", "Alertable": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.582021", "PID": 3888, "PPID": 2852, "TID": 1364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x23", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x43c", "Flags": "0x20000", "SendMessage": "0xb54c250", "SendMessageAttributes": "0x23eff58", "ReceiveMessage": "0xb54c250", "BufferLength": "0x272ef18", "ReceiveMessageAttributes": "0x23eff58", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.582359", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAssociateWaitCompletionPacket", "EventUID": "0x25", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 144, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.582553", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x27", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionReserveHandle": "0xffffffff8000188c", "KeyContext": "0x0", "ApcContext": "0x2", "IoStatus": "0x7ffb00000000", "IoStatusInformation": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.582849", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x29", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 137, "NArgs": 5, "PortHandle": "0x104", "PortInformationClass": "0x0", "PortInformation": "0x435237f548", "Length": "0x10", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.583003", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x2a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionInformation": "0xfffff506a0284898", "Count": "0x1", "NumEntriesRemoved": "0xfffff506a02846bc", "Timeout": "0xfffff506a02846d8", "Alertable": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.583430", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserValidateTimerCallback", "EventUID": "0x2e", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.583473", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x2f", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x104", "Flags": "0x0", "SendMessage": "0x0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x16a346d0a70", "BufferLength": "0x435237f538", "ReceiveMessageAttributes": "0x435237f558", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.583759", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserKillTimer", "EventUID": "0x32", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 27, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.583795", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x33", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0x435237f458", "WorkerFactoryInformationLength": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.584230", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSetTimer", "EventUID": "0x36", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.584274", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x37", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x16a34b70dc8", "ThreadInformationLength": "0x8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.584728", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x3a", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.584770", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x3b", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x435237f270", "ThreadInformationLength": "0x8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.584877", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x3d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionReserveHandle": "0xffffffff8000188c", "KeyContext": "0x0", "ApcContext": "0x2", "IoStatus": "0xffff806700000000", "IoStatusInformation": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.585047", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x3f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionInformation": "0xfffff506a0284898", "Count": "0x1", "NumEntriesRemoved": "0xfffff506a02846bc", "Timeout": "0xfffff506a02846d8", "Alertable": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.585133", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x40", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0x435237f65c", "WorkerFactoryInformationLength": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.585286", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x43", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionReserveHandle": "0xffffffff8000188c", "KeyContext": "0x0", "ApcContext": "0x2", "IoStatus": "0x0", "IoStatusInformation": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.585458", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x45", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionInformation": "0xfffff506a0284898", "Count": "0x1", "NumEntriesRemoved": "0xfffff506a02846bc", "Timeout": "0xfffff506a02846d8", "Alertable": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.585539", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0x46", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 468, "NArgs": 2, "WorkerFactoryHandle": "0x1c", "MiniPacket": "0x16a351ae930"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.585990", "PID": 3888, "PPID": 2852, "TID": 1364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetTimerEx", "EventUID": "0x4a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 432, "NArgs": 4, "TimerHandle": "0x460", "TimerSetInformationClass": "0x0", "TimerSetInformation": "0x272f7b0", "TimerSetInformationLength": "0x30"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.586162", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUpdateWnfStateData", "EventUID": "0x4c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 463, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.586314", "PID": 3888, "PPID": 2852, "TID": 1364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForMultipleObjects", "EventUID": "0x4e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 91, "NArgs": 5, "Count": "0x1", "Handles[]": "0x272f850", "WaitType": "0x1", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.586454", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x4f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac568", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\.lnk\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.586732", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x50", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.587050", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserMsgWaitForMultipleObjectsEx", "EventUID": "0x53", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1158, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.587134", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x54", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x263a", "ValueName": "0x27accf8", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27acbb0", "Length": "0x5a", "ResultLength": "0x27acb64"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.587457", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x57", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 137, "NArgs": 5, "PortHandle": "0x1b4", "PortInformationClass": "0x0", "PortInformation": "0xc6f217f828", "Length": "0x10", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.587653", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x59", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x1b4", "Flags": "0x0", "SendMessage": "0x0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x20ea2805370", "BufferLength": "0xc6f217f818", "ReceiveMessageAttributes": "0xc6f217f838", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.587730", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x263a"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.587842", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x5c", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0xc6f217f738", "WorkerFactoryInformationLength": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.588060", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x5f", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x20e9f5dbd88", "ThreadInformationLength": "0x8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.588148", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x60", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b2"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.588281", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtDuplicateObject", "EventUID": "0x63", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 60, "NArgs": 7, "SourceProcessHandle": "0xffffffffffffffff", "SourceHandle": "0x558", "TargetProcessHandle": "0xffffffffffffffff", "TargetHandle": "0xc6f217df00", "DesiredAccess": "0x0", "HandleAttributes": "0x0", "Options": "0x2"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.588451", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtDuplicateObject", "EventUID": "0x65", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 60, "NArgs": 7, "SourceProcessHandle": "0xffffffffffffffff", "SourceHandle": "0x718", "TargetProcessHandle": "0xffffffffffffffff", "TargetHandle": "0xc6f217ddc0", "DesiredAccess": "0x0", "HandleAttributes": "0x0", "Options": "0x2"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.588526", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x66", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2572"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.588671", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtClose", "EventUID": "0x69", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 15, "NArgs": 1, "Handle": "0x718"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.588841", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x6b", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0xc6f217f550", "ThreadInformationLength": "0x8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.588915", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x6c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x27acb00", "Length": "0x180", "ResultLength": "0x27acaec"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.589029", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x6e", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x1b4", "Flags": "0x410000", "SendMessage": "0x20ea280b970", "SendMessageAttributes": "0xc6f217f530", "ReceiveMessage": "0x0", "BufferLength": "0x0", "ReceiveMessageAttributes": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.589386", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcQueryInformationMessage", "EventUID": "0x71", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 138, "NArgs": 6, "PortHandle": "0x554", "PortMessage": "0xb54e470", "MessageInformationClass": "0x3", "MessageInformation": "0x31ebb98", "Length": "0x14", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.589445", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x72", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac730", "Length": "0x4", "ResultLength": "0x27ac768"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.589762", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x75", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x554", "Flags": "0x0", "SendMessage": "0xb54e470", "SendMessageAttributes": "0x31ebbb0", "ReceiveMessage": "0x0", "BufferLength": "0x0", "ReceiveMessageAttributes": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.589809", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x76", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac6a8", "Length": "0x4", "ResultLength": "0x27ac6b8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.590114", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x79", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac738", "DesiredAccess": "0x20019", "ObjectAttributes": "\\CLSID\\{00021401-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.590354", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x7a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x554", "Flags": "0x20000", "SendMessage": "0xb54e470", "SendMessageAttributes": "0xb500ec8", "ReceiveMessage": "0xb54e470", "BufferLength": "0x31eb698", "ReceiveMessageAttributes": "0xb500ec8", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.590599", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac748", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{00021401-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.590678", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtClose", "EventUID": "0x7e", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 15, "NArgs": 1, "Handle": "0x51c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.590895", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x81", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0xc6f217f99c", "WorkerFactoryInformationLength": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.591039", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x83", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x3", "KeyInformation": "0x27acc70", "Length": "0x188", "ResultLength": "0x27acc4c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.591078", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0x84", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 468, "NArgs": 2, "WorkerFactoryHandle": "0x1c", "MiniPacket": "0x20ea1e40e80"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.591236", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x86", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 137, "NArgs": 5, "PortHandle": "0x1b4", "PortInformationClass": "0x0", "PortInformation": "0xc6f217f888", "Length": "0x10", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.591405", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x89", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x1b4", "Flags": "0x0", "SendMessage": "0x0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x20ea280b970", "BufferLength": "0xc6f217f878", "ReceiveMessageAttributes": "0xc6f217f898", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.591563", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x8b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac890", "Length": "0x4", "ResultLength": "0x27ac8c8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.591601", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x8c", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0xc6f217f798", "WorkerFactoryInformationLength": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.591771", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x8f", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x20e9f5dbd88", "ThreadInformationLength": "0x8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.591914", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x91", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ac780", "TokenInformationLength": "0x58", "ReturnLength": "0x27ac778"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.591954", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x92", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0xc6f217f5b0", "ThreadInformationLength": "0x8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.592128", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x95", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0xc6f217f99c", "WorkerFactoryInformationLength": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.592281", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x97", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac898", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\CLSID\\{00021401-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.592329", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x98", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x1b4", "Flags": "0x450000", "SendMessage": "0x20ea25346f0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x0", "BufferLength": "0x0", "ReceiveMessageAttributes": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.592670", "PID": 3888, "PPID": 2852, "TID": 7160, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x9b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x364", "Alertable": "0x0", "Timeout": "0x9cbd628"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.592780", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x9c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2572", "ValueName": "DisableProcessIsolation", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27acee0", "Length": "0x10", "ResultLength": "0x27ace94"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.593114", "PID": 3888, "PPID": 2852, "TID": 7160, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x9f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x554", "Flags": "0x20000", "SendMessage": "0xb54a030", "SendMessageAttributes": "0xb502d28", "ReceiveMessage": "0xb54a030", "BufferLength": "0x9cbdcb8", "ReceiveMessageAttributes": "0xb502d28", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.593289", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xa1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x3", "KeyInformation": "0x27acc70", "Length": "0x188", "ResultLength": "0x27acc4c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.593383", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0xa2", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 137, "NArgs": 5, "PortHandle": "0x1b4", "PortInformationClass": "0x0", "PortInformation": "0xc6f217f828", "Length": "0x10", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.593615", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0xa5", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x1b4", "Flags": "0x0", "SendMessage": "0x0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x20ea2805370", "BufferLength": "0xc6f217f818", "ReceiveMessageAttributes": "0xc6f217f838", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.593767", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0xa7", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0xc6f217f738", "WorkerFactoryInformationLength": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.593853", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xa8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac890", "Length": "0x4", "ResultLength": "0x27ac8c8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.593999", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0xab", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x20e9f5dbd88", "ThreadInformationLength": "0x8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.594210", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtClose", "EventUID": "0xad", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 15, "NArgs": 1, "Handle": "0x558"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.594290", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0xae", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ac780", "TokenInformationLength": "0x58", "ReturnLength": "0x27ac778"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.594458", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0xb1", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0xc6f217f550", "ThreadInformationLength": "0x8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.594643", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0xb3", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0xc6f217f99c", "WorkerFactoryInformationLength": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.594729", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0xb4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac898", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\CLSID\\{00021401-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.594861", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0xb6", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 468, "NArgs": 2, "WorkerFactoryHandle": "0x1c", "MiniPacket": "0x20ea1e40e80"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.595290", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtDuplicateObject", "EventUID": "0xb9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 60, "NArgs": 7, "SourceProcessHandle": "0xffffffffffffffff", "SourceHandle": "0xbe4", "TargetProcessHandle": "0xffffffffffffffff", "TargetHandle": "0x31ed330", "DesiredAccess": "0x0", "HandleAttributes": "0x0", "Options": "0x2"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.595337", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0xba", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2572", "ValueName": "NoOplock", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27acee0", "Length": "0x10", "ResultLength": "0x27ace94"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.595645", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0xbd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.595798", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xbf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x3", "KeyInformation": "0x27acc70", "Length": "0x188", "ResultLength": "0x27acc4c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.595947", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryObject", "EventUID": "0xc0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 16, "NArgs": 5, "Handle": "0x6dc", "ObjectInformationClass": "0x1", "ObjectInformation": "0x0", "ObjectInformationLength": "0x0", "ReturnLength": "0x31ed438"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.607263", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xc3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac890", "Length": "0x4", "ResultLength": "0x27ac8c8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.607593", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryObject", "EventUID": "0xc4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 16, "NArgs": 5, "Handle": "0x6dc", "ObjectInformationClass": "0x1", "ObjectInformation": "0xb8157d0", "ObjectInformationLength": "0xae", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.607894", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0xc7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ac780", "TokenInformationLength": "0x58", "ReturnLength": "0x27ac778"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.607936", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryObject", "EventUID": "0xc8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 16, "NArgs": 5, "Handle": "0x6dc", "ObjectInformationClass": "0x4", "ObjectInformation": "0x31ed420", "ObjectInformationLength": "0x2", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.608210", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0xcb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac898", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\CLSID\\{00021401-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.608264", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetInformationObject", "EventUID": "0xcc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 92, "NArgs": 4, "Handle": "0x6dc", "ObjectInformationClass": "0x4", "ObjectInformation": "0x31ed420", "ObjectInformationLength": "0x2"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.608623", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenSection", "EventUID": "0xcf", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 55, "NArgs": 3, "SectionHandle": "0x31ed3c8", "DesiredAccess": "0x4", "ObjectAttributes": "RestrictedErrorObject-{E4F7C058-38B2-4C85-64DD-9071BBDC9034}"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.608911", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0xd1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2572", "ValueName": "UseInProcHandlerCache", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27acee0", "Length": "0x10", "ResultLength": "0x27ace94"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.609144", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0xd2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x554", "Flags": "0x20000", "SendMessage": "0xb547e10", "SendMessageAttributes": "0xb500ec8", "ReceiveMessage": "0xb547e10", "BufferLength": "0x31edcb8", "ReceiveMessageAttributes": "0xb500ec8", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.609468", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xd4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x3", "KeyInformation": "0x27acc70", "Length": "0x188", "ResultLength": "0x27acc4c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.609596", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenFile", "EventUID": "0xd5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 51, "NArgs": 6, "FileHandle": "0x75ce30", "DesiredAccess": "0x100001", "ObjectAttributes": "\\??\\c:\\program files (x86)\\microsoft\\edge\\SystemResources\\msedge.exe.mun", "IoStatusBlock": "0x75cdf0", "ShareAccess": "0x5", "OpenOptions": "0x60"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.610163", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xd8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2572", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac890", "Length": "0x4", "ResultLength": "0x27ac8c8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.610419", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateDIBitmapInternal", "EventUID": "0xda", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 156, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.610532", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0xdb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ac780", "TokenInformationLength": "0x58", "ReturnLength": "0x27ac778"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.610785", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0xde", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.610872", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0xdf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac898", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\CLSID\\{00021401-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.611121", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCforBitmap", "EventUID": "0xe2", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 152, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.611324", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0xe4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2572", "ValueName": "UseOutOfProcHandlerCache", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27acee0", "Length": "0x10", "ResultLength": "0x27ace94"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.611425", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSaveDC", "EventUID": "0xe5", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 59, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.611727", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0xe8", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.611813", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0xe9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2572"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.612043", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCObject", "EventUID": "0xec", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 53, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.612129", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateEvent", "EventUID": "0xed", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 72, "NArgs": 5, "EventHandle": "0x27ac9e8", "DesiredAccess": "0x1f0003", "ObjectAttributes": "0x0", "EventType": "0x1", "InitialState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.612356", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0xf0", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.612463", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0xf1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0x27acf20"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.612582", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0xf3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0x27acf20"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.612852", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSetDIBitsToDeviceInternal", "EventUID": "0xf6", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 41, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.613109", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0xf8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x27ad0c8", "DesiredAccess": "0x1f0001", "ObjectAttributes": "0x0", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.613196", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0xf9", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.613456", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateFile", "EventUID": "0xfc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 85, "NArgs": 11, "FileHandle": "0x27acf00", "DesiredAccess": "0x80100080", "ObjectAttributes": "\\??\\C:\\Users\\litter\\Desktop\\Microsoft Edge.lnk", "IoStatusBlock": "0x27acf08", "AllocationSize": "0x0", "FileAttributes": "0x0", "ShareAccess": "0x3", "CreateDisposition": "0x1", "CreateOptions": "0x60", "EaBuffer": "0x0", "EaLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.613617", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0xfd", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.613877", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x100", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.614019", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiRestoreDC", "EventUID": "0x102", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 58, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.614254", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x104", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acde8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.614370", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x106", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.614587", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x108", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.614685", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetDC", "EventUID": "0x109", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 10, "NArgs": 1, "hWnd": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.614996", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReadFile", "EventUID": "0x10c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 6, "NArgs": 9, "FileHandle": "\\Users\\litter\\Desktop\\Microsoft Edge.lnk", "Event": "0x0", "ApcRoutine": "0x0", "ApcContext": "0x0", "IoStatusBlock": "0x27ace60", "Buffer": "0xada3264", "Length": "0x1000", "ByteOffset": "0x0", "Key": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.616392", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateDIBitmapInternal", "EventUID": "0x10d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 156, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.616648", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x110", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acde8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.616761", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserReleaseDC", "EventUID": "0x112", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1196, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.616991", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x114", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.617190", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x116", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.617398", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x118", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.617494", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCforBitmap", "EventUID": "0x119", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 152, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.617739", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x11c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.617823", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSaveDC", "EventUID": "0x11d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 59, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.618057", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x120", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acde8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.618168", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x122", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.618373", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x124", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.618456", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCObject", "EventUID": "0x125", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 53, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.618698", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x128", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acde8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.618808", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x12a", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.619031", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x12c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.619141", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSetDIBitsToDeviceInternal", "EventUID": "0x12e", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 41, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.619368", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x130", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.619450", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x131", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.619724", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x134", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.619810", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x135", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.620043", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x138", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27accf8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.620154", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiRestoreDC", "EventUID": "0x13a", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 58, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.620367", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x13c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.620477", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x13e", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.620697", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x140", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27accf8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.620814", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateCompatibleDC", "EventUID": "0x142", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 84, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.621026", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x144", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.621108", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x145", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.621343", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x148", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.621461", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateBitmap", "EventUID": "0x14a", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 107, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.621753", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x14c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.621861", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x14d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.622081", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x150", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27accf8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.622159", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x151", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.622384", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x154", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.622463", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiBitBlt", "EventUID": "0x155", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 8, "NArgs": 11, "hdcDst": "0x120108a8", "x": "0x0", "y": "0x0", "cx": "0x30", "cy": "0x60", "hdcSrc": "0x401019a", "xSrc": "0x0", "ySrc": "0x0", "rop4": "0xcc0020", "crBackColor": "0xffffffff", "fl": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.622772", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x158", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27accf8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.622865", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x159", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.623099", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x15c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.623170", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x15d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.623390", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x160", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.623461", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x161", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 35, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.623781", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x164", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac018", "Length": "0x4", "ResultLength": "0x27ac028"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.623857", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x165", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 35, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.624085", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x168", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac048", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.624257", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserCreateEmptyCursorObject", "EventUID": "0x169", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 956, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.624470", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x16c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2694", "ValueName": "ValidateRegItems", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac100", "Length": "0x10", "ResultLength": "0x27ac0b4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.624571", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSetCursorIconData", "EventUID": "0x16d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 158, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.624882", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUnmapViewOfSection", "EventUID": "0x170", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 42, "NArgs": 2, "ProcessHandle": "0xffffffffffffffff", "BaseAddress": "0x121a0000"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.624920", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x171", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.624991", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUnmapViewOfSectionEx", "EventUID": "0x172", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 461, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "BaseAddress": "0x121a0000", "Flags": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.625707", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x176", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac018", "Length": "0x4", "ResultLength": "0x27ac028"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.625856", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x178", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x75e908", "Length": "0x4", "ResultLength": "0x75e918"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.626004", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x17a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac048", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.626182", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x17c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x75e938", "DesiredAccess": "0x20119", "ObjectAttributes": "\\Software\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.626368", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x17e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2694", "ValueName": "MonitorRegistry", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac100", "Length": "0x10", "ResultLength": "0x27ac0b4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.626542", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetInformationKey", "EventUID": "0x17f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 409, "NArgs": 4, "KeyHandle": "0xbe4", "KeySetInformationClass": "0x5", "KeySetInformation": "0x75e930", "KeySetInformationLength": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.626811", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x182", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "PolicyType", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0x10", "ResultLength": "0x75e9e4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.626881", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x183", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.627196", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x186", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27abb08", "Length": "0x4", "ResultLength": "0x27abb18"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.627345", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x188", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "Behavior", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0x10", "ResultLength": "0x75e9e4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.627508", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x189", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abb38", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.627832", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x18c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "MergeAlgorithm", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0x10", "ResultLength": "0x75e9e4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.627878", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x18d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2694", "ValueName": "ValidateRegItems", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27abbf0", "Length": "0x10", "ResultLength": "0x27abba4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.628258", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x190", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "RegKeyPathRedirectMapped", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0x10", "ResultLength": "0x75e9e4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.628325", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x191", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.628621", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x194", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27abb08", "Length": "0x4", "ResultLength": "0x27abb18"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.628774", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x196", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "RegKeyPathRedirect", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0xc", "ResultLength": "0x75e9e4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.628938", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x197", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abb38", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.629235", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x19a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "grouppolicyname", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0xc", "ResultLength": "0x75e9e4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.629281", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x19b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2694", "ValueName": "MonitorRegistry", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27abbf0", "Length": "0x10", "ResultLength": "0x27abba4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.629667", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x19e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "ADMXMetadataUser", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0xc", "ResultLength": "0x75e9e4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.629711", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x19f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.630176", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1a2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "ADMXMetadataDevice", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0xc", "ResultLength": "0x75e9e4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.630217", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1a3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.630492", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1a6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ace18"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.630637", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1a8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "ADMXMetadataBoth", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0xc", "ResultLength": "0x75e9e4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.630778", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1a9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.631037", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x1ac", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "TerminalServices-RemoteConnectionManager-AllowAppServerMode", "Type": "0x75e9d0", "Buffer": "0x75e9c0", "Length": "0x4", "ReturnedLength": "0x75e9d8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.631120", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationFile", "EventUID": "0x1ad", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 17, "NArgs": 5, "FileHandle": "\\Users\\litter\\Desktop\\Microsoft Edge.lnk", "IoStatusBlock": "0x27acea0", "FileInformation": "0xada42d8", "Length": "0x28", "FileInformationClass": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.631408", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x1b0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Kernel-ProductInfo", "Type": "0x75e884", "Buffer": "0x75e888", "Length": "0x4", "ReturnedLength": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.631489", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationFile", "EventUID": "0x1b1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 17, "NArgs": 5, "FileHandle": "\\Users\\litter\\Desktop\\Microsoft Edge.lnk", "IoStatusBlock": "0x27acea0", "FileInformation": "0xada4300", "Length": "0x18", "FileInformationClass": "0x5"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.631755", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x1b4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Kernel-ProductInfoLegacyMapping", "Type": "0x75e884", "Buffer": "0x75e8c0", "Length": "0xc8", "ReturnedLength": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.631796", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1b5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ace18"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.632065", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1b8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "30Value", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75e7b0", "Length": "0xc", "ResultLength": "0x75e764"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.632116", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1b9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.632419", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1bc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.632569", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1be", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xbe4", "ValueName": "Value", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x75ea30", "Length": "0x10", "ResultLength": "0x75e9e4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.632729", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1bf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.633312", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1c2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd58"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.633476", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x1c4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.633622", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1c6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.633797", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x1c8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x75e838", "Length": "0x4", "ResultLength": "0x75e848"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.633971", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1ca", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd58"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.634128", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x1cc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x75e868", "DesiredAccess": "0x20119", "ObjectAttributes": "\\Software\\Microsoft\\PolicyManager\\current\\Device\\DataProtection", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.634325", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1cd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.634593", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetIconInfo", "EventUID": "0x1d0", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 79, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.634629", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1d1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.634880", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1d4", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.634915", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1d5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.635178", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetDC", "EventUID": "0x1d8", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 10, "NArgs": 1, "hWnd": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.635213", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1d9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd58"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.635447", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDIBitsInternal", "EventUID": "0x1dc", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 130, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.635481", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1dd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.635729", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserReleaseDC", "EventUID": "0x1e0", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1196, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.635764", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1e1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd58"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.636000", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1e4", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.636042", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1e5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.636306", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x1e8", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 35, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.636341", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1e9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.636594", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1ec", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.636639", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1ed", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.636899", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1f0", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.636933", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1f1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.637190", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDIBitsInternal", "EventUID": "0x1f4", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 130, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.637224", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1f5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.637484", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateDIBSection", "EventUID": "0x1f8", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 151, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.637530", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1f9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.637619", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAllocateVirtualMemory", "EventUID": "0x1fa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 24, "NArgs": 6, "ProcessHandle": "0xffffffffffffffff", "*BaseAddress": "0x0", "ZeroBits": "0x0", "RegionSize": "0xfffff5069e7b49c8", "AllocationType": "0x3000", "Protect": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.637839", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1fe", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.638039", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x200", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.638117", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x201", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.638338", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCforBitmap", "EventUID": "0x204", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 152, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.638416", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x205", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.638650", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSaveDC", "EventUID": "0x208", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 59, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.638728", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x209", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.638954", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x20c", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.639045", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x20d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.639287", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCObject", "EventUID": "0x210", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 53, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.639367", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x211", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.639610", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x214", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.639693", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x215", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.639921", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSetDIBitsToDeviceInternal", "EventUID": "0x218", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 41, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.640004", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x219", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.640235", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x21c", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.640327", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x21d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.640558", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x220", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.640651", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x221", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.640882", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiRestoreDC", "EventUID": "0x224", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 58, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.640964", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x225", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.641183", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x228", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.641261", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x229", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.641483", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x22c", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.641573", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x22d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.641806", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x230", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.641884", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x231", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.642105", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x234", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.642182", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x235", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.642401", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x238", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.642478", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x239", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.642729", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x23c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.642815", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x23d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.643048", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x240", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e700", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.643137", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x241", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.643370", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x244", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e758", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e700", "ClientId": "0x75e6f0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.643480", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x245", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.644761", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x248", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e770"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.644846", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x249", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e770"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.644922", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x24a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.645271", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x24e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.645349", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x24f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2694", "TokenInformationClass": "0x1", "TokenInformation": "0x75e810", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e790"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.645624", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x252", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.645702", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x253", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e6e8", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.645973", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x256", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.646122", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x258", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.646272", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x25a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.646433", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x25c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.646584", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x25e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.646757", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x260", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.646908", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x262", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.647044", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x264", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.647207", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x266", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.647367", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x268", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.647537", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x26a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.647782", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x26c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e6e0", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.647942", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x26e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.648085", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x270", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e738", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e6e0", "ClientId": "0x75e6d0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.648680", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x272", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.648828", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x274", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e750"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.648911", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x275", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e750"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.649011", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x276", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.649321", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x27a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xbe4", "TokenInformationClass": "0x1", "TokenInformation": "0x75e7f0", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e770"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.649358", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x27b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.649626", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x27e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e6c8", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.649676", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x27f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.649943", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x282", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.649989", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x283", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.650242", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x286", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.650275", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x287", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.650525", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x28a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.650557", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x28b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.650807", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x28e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.650845", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x28f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.651104", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x292", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.651137", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x293", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.651387", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenFile", "EventUID": "0x296", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 51, "NArgs": 6, "FileHandle": "0x75e7d8", "DesiredAccess": "0x100000", "ObjectAttributes": "\\??\\C:\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer", "IoStatusBlock": "0x75e7f0", "ShareAccess": "0x0", "OpenOptions": "0x800021"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.651452", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x297", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.651701", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryVolumeInformationFile", "EventUID": "0x29a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 73, "NArgs": 5, "FileHandle": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer", "IoStatusBlock": "0x75e7f0", "FsInformation": "0x75e830", "Length": "0x18", "FsInformationClass": "0xfc6315f700000003"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.651773", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x29b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.652034", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x29e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.652067", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x29f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.652300", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2a2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.652334", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2a3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27acd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.652583", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x2a6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.652620", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2a7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.652880", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2aa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.652930", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2ab", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.653436", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x2ae", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.653473", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2af", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.653530", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x2b0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.653857", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2b4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.653998", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x2b6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2648", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.654149", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2b8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.654319", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x2ba", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.654471", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2bc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.654624", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2be", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.654788", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2c0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.654939", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2c2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.655078", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2c4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.655216", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2c6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.655367", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2c8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.655512", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2ca", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.655665", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2cc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.655815", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2ce", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.655955", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2d0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.656102", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x2d2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.656247", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2d4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.656395", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.656853", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2d8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.657008", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x2da", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.657085", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x2db", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.657249", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2dd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.657516", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x2e0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2694", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.657555", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2e1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.657857", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x2e4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.657914", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2e5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.658168", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2e8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.658202", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2e9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.658458", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2ec", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.658496", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2ed", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.658763", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2f0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.658796", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2f1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.659055", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x2f4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.659094", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2f5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.659357", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2f8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.659393", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2f9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.659652", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2fc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.659704", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2fd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.659963", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x300", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.660006", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x301", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.660256", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x304", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.660309", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x305", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.660823", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x308", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.660859", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x309", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.660926", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x30a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.661235", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x30e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.661376", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x310", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xbe4", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.661539", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x312", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.661696", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x314", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.661848", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x316", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.662008", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x318", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.662167", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x31a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.662319", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x31c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.662461", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x31e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.662612", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x320", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.662777", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x322", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.662928", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x324", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.663071", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x326", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.663224", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x328", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.663379", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x32a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.663537", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x32c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.663709", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x32e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.663860", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x330", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.664575", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x332", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.664853", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x334", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.664896", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x335", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.664971", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x336", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.665315", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x33a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.665470", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x33c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2648", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.665647", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x33e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.665819", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x340", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.665971", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x342", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.666157", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x344", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.666322", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x346", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.666479", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x348", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.666624", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x34a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.666789", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x34c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.666937", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x34e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.667091", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x350", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.667249", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x352", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.667416", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x354", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.667565", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x356", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.667719", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x358", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.667866", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x35a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.668021", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x35c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.668183", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x35e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.668337", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x360", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.668749", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x362", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.668905", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x364", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.668986", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x365", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.669103", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x366", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.669435", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x36a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2694", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.669474", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x36b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.669745", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x36e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.669799", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x36f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.670066", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x372", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.670100", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x373", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.670411", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x376", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.670452", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x377", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.670727", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x37a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.670766", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x37b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.671023", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x37e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.671059", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x37f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.671331", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x382", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.671365", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x383", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.671621", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x386", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.671659", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x387", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.671916", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x38a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.671970", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x38b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.672489", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x38e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.672526", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x38f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.672660", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x390", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.672986", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x394", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.673126", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x396", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xbe4", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.673283", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x398", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.673521", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x39a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.673672", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x39c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.673824", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x39e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.673964", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3a0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.674113", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3a2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.674272", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3a4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.674425", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3a6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.674567", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3a8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.674729", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x3aa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.674872", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3ac", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.675020", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3ae", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.675160", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3b0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x27ac968"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.675322", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3b2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.675480", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3b4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.675634", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x3b6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.675797", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3b8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.675948", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3ba", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.676373", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x3bc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0x27acd60"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.676454", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x3bd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0x27acd60"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.676574", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x3be", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.676694", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x3c0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.677014", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x3c4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0x27ace00"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.677095", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x3c5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0x27ace00"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.677197", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x3c6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2648", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.677532", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x3ca", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.677580", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x3cb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27abca8", "Length": "0x4", "ResultLength": "0x27abcb8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.677848", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3ce", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.677883", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x3cf", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abcd8", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.678173", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3d2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.678211", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x3d3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x14a8", "ValueName": "ValidateRegItems", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27abd90", "Length": "0x10", "ResultLength": "0x27abd44"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.678505", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3d6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.678679", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3d8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x14a8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.678829", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3da", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.678989", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x3dc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27abca8", "Length": "0x4", "ResultLength": "0x27abcb8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.679145", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3de", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.679288", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x3e0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abcd8", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.679466", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x3e2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.679954", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3e4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.680011", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x3e5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x14a8", "ValueName": "MonitorRegistry", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27abd90", "Length": "0x10", "ResultLength": "0x27abd44"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.680536", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x3e8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.680615", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x3e9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.680731", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3ea", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x14a8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.681133", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x3ee", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2694", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.681341", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAllocateVirtualMemory", "EventUID": "0x3f0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "NArgs": 6, "ProcessHandle": "0xffffffffffffffff", "*BaseAddress": "0x507000", "ZeroBits": "0x0", "RegionSize": "0x27abb10", "AllocationType": "0x1000", "Protect": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.681523", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x3f2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.681868", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3f4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.681902", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAllocateVirtualMemory", "EventUID": "0x3f5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "NArgs": 6, "ProcessHandle": "0xffffffffffffffff", "*BaseAddress": "0xb8fc000", "ZeroBits": "0x0", "RegionSize": "0x27a9730", "AllocationType": "0x1000", "Protect": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.682206", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3f8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.682538", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3fa", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x8b0", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.682684", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3fc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.682824", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3fe", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2638"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.682992", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x400", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.683132", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x402", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0x8b0", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.683283", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x404", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.683432", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x406", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.683599", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x408", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.683796", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x40a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac428", "Length": "0x4", "ResultLength": "0x27ac438"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.683943", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x40c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.684089", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x40e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac458", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.684268", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x410", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.684679", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x412", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b0", "ValueName": "ValidateRegItems", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac510", "Length": "0x10", "ResultLength": "0x27ac4c4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.684814", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x413", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.684895", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x414", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.685212", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x418", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.685357", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x41a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xbe4", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.685503", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x41c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27ac428", "Length": "0x4", "ResultLength": "0x27ac438"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.685676", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x41e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.685817", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x420", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27ac458", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.685988", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x422", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.686131", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x424", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b0", "ValueName": "MonitorRegistry", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac510", "Length": "0x10", "ResultLength": "0x27ac4c4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.686271", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x425", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.686555", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x428", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.686589", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x429", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.686861", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x42c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27abf18", "Length": "0x4", "ResultLength": "0x27abf28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.686903", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x42d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.687166", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x430", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abf48", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.687217", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x431", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.687480", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x434", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b0", "ValueName": "ValidateRegItems", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac000", "Length": "0x10", "ResultLength": "0x27abfb4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.687522", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x435", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.687820", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x438", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.688232", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x43a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.688377", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x43c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.688467", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x43d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.688576", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x43e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27abf18", "Length": "0x4", "ResultLength": "0x27abf28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.688892", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x442", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abf48", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.688944", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x443", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2648", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.689196", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x446", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b0", "ValueName": "MonitorRegistry", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac000", "Length": "0x10", "ResultLength": "0x27abfb4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.689238", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x447", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.689540", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x44a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.689686", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x44c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.689861", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x44e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.690033", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x450", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x27acf28", "Length": "0x4", "ResultLength": "0x27acf38"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.690117", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x451", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.690350", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x454", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27acf58", "DesiredAccess": "0x20119", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.690479", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x455", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.690708", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetInformationKey", "EventUID": "0x458", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 409, "NArgs": 4, "KeyHandle": "0x8b0", "KeySetInformationClass": "0x5", "KeySetInformation": "0x27acf50", "KeySetInformationLength": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.690811", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x459", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.691043", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x45c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x8b0", "KeyInformationClass": "0x4", "KeyInformation": "0x27aced0", "Length": "0x28", "ResultLength": "0x27acda0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.691129", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x45d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.691434", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x460", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.691515", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x461", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.691761", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x464", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.691884", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x465", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 49, "NArgs": 2, "PerformanceCounter": "0x27ac900", "PerformanceFrequency": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.692309", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x468", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.692395", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x469", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x27ac4d8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.692431", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x46a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.692555", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x46b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x27ac4d8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.692942", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x470", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2694", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.693028", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x471", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x8b0", "TokenInformationClass": "0x12", "TokenInformation": "0x27ac4bc", "TokenInformationLength": "0x4", "ReturnLength": "0x27ac4cc"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.693238", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x474", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.693500", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x477", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.693581", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x478", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2694"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.693803", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x47b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x27abf20", "Length": "0x180", "ResultLength": "0x27abf0c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.693886", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x47c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.694193", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x47f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.694267", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x480", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abb50", "Length": "0x4", "ResultLength": "0x27abb88"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.694505", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x483", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.694580", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x484", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abac8", "Length": "0x4", "ResultLength": "0x27abad8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.694803", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x487", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2648"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.694882", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x488", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abb58", "DesiredAccess": "0x20019", "ObjectAttributes": "\\.exe", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.695180", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x48b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.697389", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x48d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.698139", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x48f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.698305", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x490", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.698939", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x493", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2638", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.699431", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x495", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.699788", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x497", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2638"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.700167", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x499", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.700454", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x49b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x14a8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.700745", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x49d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.701021", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x49f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.701322", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x4a1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x75e858"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.701623", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x4a3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.701921", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4a5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.702481", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x4a7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.702561", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x4a8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e948"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.703059", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x4ab", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x8b0", "TokenInformationClass": "0x1", "TokenInformation": "0x75ea90", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e988"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.703356", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x4ad", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.703746", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4af", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.704042", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4b1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x14a8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.704359", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x4b3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.705967", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x4b5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xb18", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.706350", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4b7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2638"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.706706", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x4b9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0x75e890", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.706937", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4bb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0x75e8e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientId": "0x75e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.707829", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x4bd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.707979", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x4be", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0x75e950"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.708400", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x4c1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x14a8", "TokenInformationClass": "0x1", "TokenInformation": "0x75eb30", "TokenInformationLength": "0xa0", "ReturnLength": "0x75e98c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.708763", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x4c3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0x75e878", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.709242", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4c5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x14a8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.709554", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4c7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2638"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.709923", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4c9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.710238", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x4cb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xb0c", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.710534", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x4cd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xb18", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.711886", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetRandomRgn", "EventUID": "0x4d0", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 43, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.712359", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiIntersectClipRect", "EventUID": "0x4d2", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.712872", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetRandomRgn", "EventUID": "0x4d4", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 43, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.713205", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiBitBlt", "EventUID": "0x4d6", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 8, "NArgs": 11, "hdcDst": "0x710107cc", "x": "0x0", "y": "0x0", "cx": "0x400", "cy": "0x2d8", "hdcSrc": "0x610108f5", "xSrc": "0x0", "ySrc": "0x0", "rop4": "0xcc0020", "crBackColor": "0xffffffff", "fl": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.714358", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetRandomRgn", "EventUID": "0x4d8", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 43, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.714680", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiIntersectClipRect", "EventUID": "0x4da", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.714989", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExcludeClipRect", "EventUID": "0x4dc", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 150, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.715423", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4de", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.715760", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e0", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.717243", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e2", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.717664", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e4", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.717997", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e6", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.718237", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtFindAtom", "EventUID": "0x4e8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 20, "NArgs": 3, "AtomName": "0x7ffbc1f85250", "Length": "0x1c", "Atom": "0x16d5e0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.718577", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4eb", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.719162", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserKillTimer", "EventUID": "0x4ed", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 27, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.719503", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetAppClipBox", "EventUID": "0x4ef", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 67, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.720141", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateCompatibleDC", "EventUID": "0x4f1", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 84, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.720481", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x4f3", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.720888", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiBitBlt", "EventUID": "0x4f5", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 8, "NArgs": 11, "hdcDst": "0x710107cc", "x": "0x0", "y": "0x2d8", "cx": "0x400", "cy": "0x28", "hdcSrc": "0x2401075f", "xSrc": "0x0", "ySrc": "0x2d8", "rop4": "0xcc0020", "crBackColor": "0xffffffff", "fl": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.721340", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x4f7", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.721642", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x4f8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abb68", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\.exe", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.722218", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x4fb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x264a", "KeyInformationClass": "0x3", "KeyInformation": "0x27abe70", "Length": "0x188", "ResultLength": "0x27abe4c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.722351", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x4fc", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 35, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.722634", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x4ff", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x264a", "KeyInformationClass": "0x7", "KeyInformation": "0x27aba90", "Length": "0x4", "ResultLength": "0x27abac8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.722674", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x500", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0x16ce58", "Length": "0x4", "ResultLength": "0x16ce68"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.722946", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x503", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ab980", "TokenInformationLength": "0x58", "ReturnLength": "0x27ab978"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.723001", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x504", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16ce88", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.723388", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x507", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27aba98", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\.exe", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.723433", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x508", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b0", "ValueName": "DisplayVersion", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x16cf40", "Length": "0x10", "ResultLength": "0x16cef4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.723864", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x50b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x264a", "ValueName": "0x27ac228", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac0e0", "Length": "0x90", "ResultLength": "0x27ac094"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.723924", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x50c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.724194", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x50f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0x16d190", "DesiredAccess": "0x82000000", "ObjectAttributes": "\\Registry\\Machine\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\2BD63D28D7BCD0E251195AEB519243C13142EBC3"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.724369", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x510", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x27abe90", "Length": "0x180", "ResultLength": "0x27abe7c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.724658", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x513", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0x16d190", "DesiredAccess": "0x82000000", "ObjectAttributes": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates\\2BD63D28D7BCD0E251195AEB519243C13142EBC3"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.724817", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x514", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abac0", "Length": "0x4", "ResultLength": "0x27abaf8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.725113", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x517", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27aba38", "Length": "0x4", "ResultLength": "0x27aba48"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.725150", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x518", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x16d020", "TokenInformationLength": "0x58", "ReturnLength": "0x16d018"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.725432", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x51b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abac8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\exefile", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.725536", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x51c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0x16d190", "DesiredAccess": "0x82000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001\\\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates\\2BD63D28D7BCD0E251195AEB519243C13142EBC3"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.725944", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x51f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abad8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\exefile", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.725986", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x520", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2cc", "KeyInformationClass": "0x7", "KeyInformation": "0x16cdf8", "Length": "0x4", "ResultLength": "0x16ce08"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.726232", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x523", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x3", "KeyInformation": "0x27abe20", "Length": "0x180", "ResultLength": "0x27abe0c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.726268", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x524", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16ce28", "DesiredAccess": "0x1", "ObjectAttributes": "\\Control Panel\\Desktop", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.726661", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x527", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b0", "ValueName": "PaintDesktopVersion", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x16cee0", "Length": "0x10", "ResultLength": "0x16ce94"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.726837", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x528", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x7", "KeyInformation": "0x27aba50", "Length": "0x4", "ResultLength": "0x27aba88"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.727126", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x52b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ab940", "TokenInformationLength": "0x58", "ReturnLength": "0x27ab938"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.727170", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x52c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.727447", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x52f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27aba58", "DesiredAccess": "0x1", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\exefile\\CurVer", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.727500", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQuerySystemInformation", "EventUID": "0x530", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 54, "NArgs": 4, "SystemInformationClass": "0x67", "SystemInformation": "0x16d150", "SystemInformationLength": "0x8", "ReturnLength": "0x16d158"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.727906", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x535", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x7", "KeyInformation": "0x27ab9c8", "Length": "0x4", "ResultLength": "0x27ab9d8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.728090", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQuerySystemInformation", "EventUID": "0x537", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 54, "NArgs": 4, "SystemInformationClass": "0x86", "SystemInformation": "0x16d050", "SystemInformationLength": "0x20", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.728214", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x539", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27aba68", "DesiredAccess": "0x1", "ObjectAttributes": "\\CurVer", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.728551", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x53c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Security-SPP-FlexibleClipEnabled", "Type": "0x0", "Buffer": "0xfffff506a06aa0bc", "Length": "0x4", "ReturnedLength": "0xfffff506a06aa0e4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.728778", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x53e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Virtualization-AllowInheritance", "Type": "0x0", "Buffer": "0xfffff506a06aa034", "Length": "0x4", "ReturnedLength": "0xfffff506a06aa03c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.728862", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x53f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x3", "KeyInformation": "0x27abe80", "Length": "0x180", "ResultLength": "0x27abe6c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.728999", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x541", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Security-SPP-IgnoreDeferredActivation", "Type": "0x0", "Buffer": "0xfffff506a06aa0d0", "Length": "0x4", "ReturnedLength": "0xfffff506a06aa0cc"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.729185", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x544", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0xfffff506a06aa040", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\ProductOptions"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.729363", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x546", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06aa070"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.729445", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x547", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abab0", "Length": "0x4", "ResultLength": "0x27abae8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.729698", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x54a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0xffff810d86902610", "Length": "0x66", "ResultLength": "0xfffff506a06aa070"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.729792", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x54b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27ab9a0", "TokenInformationLength": "0x58", "ReturnLength": "0x27ab998"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.730025", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x54e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80000708"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.730096", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x54f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abab8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\exefile", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.730336", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x552", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0xfffff506a06aa040", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\ProductOptions"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.730509", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x554", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06aa070"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.730586", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x555", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x7", "KeyInformation": "0x27aba28", "Length": "0x4", "ResultLength": "0x27aba38"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.730846", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x558", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0xffff810d86902610", "Length": "0x66", "ResultLength": "0xfffff506a06aa070"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.730925", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x559", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abac8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.731159", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x55c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80000708"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.731237", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x55d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe6"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.731586", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x560", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000158", "ValueName": "BCAD88B8AD93307DF004940AC03E83B40FEDF759EFA4CEC43530389481543307", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9cc0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.731708", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x561", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac190", "Length": "0x188", "ResultLength": "0x27ac16c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.731974", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x564", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0xfffff506a06a9f30", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Hvsi"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.732186", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x566", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "DisableLicensingVdevForWDAG", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9ee0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.732286", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x567", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x7", "KeyInformation": "0x27abdb0", "Length": "0x4", "ResultLength": "0x27abde8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.732538", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateKey", "EventUID": "0x56a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 7, "KeyHandle": "0xfffff506a06a9ef0", "DesiredAccess": "0xf003f", "ObjectAttributes": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Hvsi", "TitleIndex": "0x0", "Class": "0x0", "CreateOptions": "0x0", "Disposition": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.732729", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x56b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27abca0", "TokenInformationLength": "0x58", "ReturnLength": "0x27abc98"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.732891", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x56e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80002420", "ValueName": "HostRedirect", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9ea0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.733066", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x56f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abdb8", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\exefile", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.733185", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x571", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80002420", "ValueName": "IsHvsiContainer", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9ea0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.733470", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x574", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80002420"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.733546", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x575", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2696", "ValueName": "IsShortcut", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x27ac400", "Length": "0xc", "ResultLength": "0x27ac3b4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.733806", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x578", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80000708"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.733980", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x579", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac0f0", "Length": "0x180", "ResultLength": "0x27ac0dc"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.734524", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQuerySystemInformation", "EventUID": "0x57d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 54, "NArgs": 4, "SystemInformationClass": "0x86", "SystemInformation": "0x16d050", "SystemInformationLength": "0x20", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.734610", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x57e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd20", "Length": "0x4", "ResultLength": "0x27abd58"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.734910", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x582", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27abc10", "TokenInformationLength": "0x58", "ReturnLength": "0x27abc08"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.734952", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x583", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Security-SPP-FlexibleClipEnabled", "Type": "0x0", "Buffer": "0xfffff506a06aa0bc", "Length": "0x4", "ReturnedLength": "0xfffff506a06aa0e4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.735152", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x586", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Virtualization-AllowInheritance", "Type": "0x0", "Buffer": "0xfffff506a06aa034", "Length": "0x4", "ReturnedLength": "0xfffff506a06aa03c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.735318", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x588", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd28", "DesiredAccess": "0x1", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\exefile\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.735393", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x589", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "NArgs": 5, "Name": "Security-SPP-IgnoreDeferredActivation", "Type": "0x0", "Buffer": "0xfffff506a06aa0d0", "Length": "0x4", "ReturnedLength": "0xfffff506a06aa0cc"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.735558", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x58b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0xfffff506a06aa040", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\ProductOptions"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.735749", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x58e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06aa070"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.735875", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x58f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x7", "KeyInformation": "0x27abc98", "Length": "0x4", "ResultLength": "0x27abca8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.736079", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x592", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0xffff810d86902610", "Length": "0x66", "ResultLength": "0xfffff506a06aa070"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.736210", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x593", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd38", "DesiredAccess": "0x1", "ObjectAttributes": "\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.736428", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x595", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80000708"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.736773", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x598", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x264a", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac110", "Length": "0x180", "ResultLength": "0x27ac0fc"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.736815", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x599", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0xfffff506a06aa040", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\ProductOptions"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.736992", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x59b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06aa070"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.737290", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x59e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x264a", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd40", "Length": "0x4", "ResultLength": "0x27abd78"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.737329", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x59f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "OSProductPfn", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0xffff810d86902610", "Length": "0x66", "ResultLength": "0xfffff506a06aa070"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.737663", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x5a2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27abc30", "TokenInformationLength": "0x58", "ReturnLength": "0x27abc28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.737701", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5a3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80000708"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.738053", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5a6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd48", "DesiredAccess": "0x1", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.738113", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5a7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000158", "ValueName": "BCAD88B8AD93307DF004940AC03E83B40FEDF759EFA4CEC43530389481543307", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9cc0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.738413", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x5aa", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "NArgs": 3, "KeyHandle": "0xfffff506a06a9f30", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Hvsi"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.738653", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5ac", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x264a", "KeyInformationClass": "0x7", "KeyInformation": "0x27abcb8", "Length": "0x4", "ResultLength": "0x27abcc8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.738692", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5ad", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80000708", "ValueName": "DisableLicensingVdevForWDAG", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9ee0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.738999", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5b0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd58", "DesiredAccess": "0x1", "ObjectAttributes": "\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.739066", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateKey", "EventUID": "0x5b1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "NArgs": 7, "KeyHandle": "0xfffff506a06a9ef0", "DesiredAccess": "0xf003f", "ObjectAttributes": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Hvsi", "TitleIndex": "0x0", "Class": "0x0", "CreateOptions": "0x0", "Disposition": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.739259", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5b3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80002420", "ValueName": "HostRedirect", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9ea0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.739616", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5b6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x27abf50", "Length": "0x180", "ResultLength": "0x27abf3c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.739657", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5b7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0xffffffff80002420", "ValueName": "IsHvsiContainer", "KeyValueInformationClass": "0x1", "KeyValueInformation": "0x0", "Length": "0x0", "ResultLength": "0xfffff506a06a9ea0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.739951", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5ba", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80002420"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.740082", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5bb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abb80", "Length": "0x4", "ResultLength": "0x27abbb8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.740304", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5be", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xffffffff80000708"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.740427", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5bf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abaf8", "Length": "0x4", "ResultLength": "0x27abb08"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.741010", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5c3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abb88", "DesiredAccess": "0x20019", "ObjectAttributes": "\\SystemFileAssociations\\.exe", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.741108", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSystemParametersInfo", "EventUID": "0x5c4", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 66, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.741435", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSetTimer", "EventUID": "0x5c7", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.741538", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5c8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abb98", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\SystemFileAssociations\\.exe", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.741856", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserEndPaint", "EventUID": "0x5cb", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.741966", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5cc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac100", "Length": "0x180", "ResultLength": "0x27ac0ec"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.742654", "PID": 5740, "PPID": 5640, "TID": 5904, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x5cf", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xffffffff80000758", "PreviousState": "0xfffff5069eb0c010"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.742884", "PID": 5740, "PPID": 5640, "TID": 5904, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForMultipleObjects", "EventUID": "0x5d2", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 91, "NArgs": 5, "Count": "0x4", "Handles[]": "0xfffff5069eb0c910", "WaitType": "0x1", "Alertable": "0x1", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.743167", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtCancelTimer", "EventUID": "0x5d4", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 97, "NArgs": 2, "TimerHandle": "0x288", "CurrentState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.743229", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5d5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd30", "Length": "0x4", "ResultLength": "0x27abd68"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.743510", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5d8", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0x274", "Alertable": "0x0", "Timeout": "0x86900ffb98"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.743548", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x5d9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27abc20", "TokenInformationLength": "0x58", "ReturnLength": "0x27abc18"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.743814", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5dc", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0x26c", "Alertable": "0x0", "Timeout": "0x86900ffb98"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.743850", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5dd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd38", "DesiredAccess": "0x1", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\SystemFileAssociations\\.exe\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.744180", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5e0", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0x288", "Alertable": "0x0", "Timeout": "0x86900ffb98"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.744325", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5e2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xbe6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abca8", "Length": "0x4", "ResultLength": "0x27abcb8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.744488", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5e4", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0xffc", "Alertable": "0x0", "Timeout": "0x86900ffb98"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.744630", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5e6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd48", "DesiredAccess": "0x1", "ObjectAttributes": "\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.744800", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDISetSyncRefreshCountWaitTarget", "EventUID": "0x5e7", "Module": "win32k", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 586, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.745104", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForMultipleObjects", "EventUID": "0x5ea", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 91, "NArgs": 5, "Count": "0x2", "Handles[]": "0x86900ffc68", "WaitType": "0x1", "Alertable": "0x0", "Timeout": "0x86900ff910"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.745270", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5eb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac020", "Length": "0x180", "ResultLength": "0x27ac00c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.745402", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCallbackReturn", "EventUID": "0x5ec", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 5, "NArgs": 3, "OutputBuffer": "0x16f630", "OutputLength": "0x18", "Status": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.745660", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x5ef", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.745734", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5f0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x7", "KeyInformation": "0x27abc50", "Length": "0x4", "ResultLength": "0x27abc88"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.745837", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x5f2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 419, "NArgs": 6, "IoCompletionHandle": "0xffffffff8000189c", "IoCompletionReserveHandle": "0xffffffff80000b24", "KeyContext": "0x0", "ApcContext": "0x2", "IoStatus": "0xfffff50600000000", "IoStatusInformation": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.745986", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x5f4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff8000189c", "IoCompletionInformation": "0xfffff5069e502898", "Count": "0x1", "NumEntriesRemoved": "0xfffff5069e5026bc", "Timeout": "0xfffff5069e5026d8", "Alertable": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.746058", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x5f5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27abb40", "TokenInformationLength": "0x58", "ReturnLength": "0x27abb38"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.746314", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x5f9", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.746353", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5fa", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abc58", "DesiredAccess": "0x1", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\exefile\\Clsid", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.746688", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x5fd", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.746821", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5ff", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2696", "KeyInformationClass": "0x7", "KeyInformation": "0x27abbc8", "Length": "0x4", "ResultLength": "0x27abbd8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.746975", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x601", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.747103", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x603", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abc68", "DesiredAccess": "0x1", "ObjectAttributes": "\\Clsid", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.747271", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x604", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.747538", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x607", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.747583", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x608", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac170", "Length": "0x180", "ResultLength": "0x27ac15c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.747905", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x60b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0x1304", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.747984", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x60c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abda0", "Length": "0x4", "ResultLength": "0x27abdd8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.748283", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x60f", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.748363", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x610", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x43c", "Flags": "0x20000", "SendMessage": "0xb54e470", "SendMessageAttributes": "0x23eff58", "ReceiveMessage": "0xb54e470", "BufferLength": "0xc17e5d8", "ReceiveMessageAttributes": "0x23eff58", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.748433", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x611", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 419, "NArgs": 6, "IoCompletionHandle": "0xffffffff8000189c", "IoCompletionReserveHandle": "0xffffffff80000b24", "KeyContext": "0x0", "ApcContext": "0x2", "IoStatus": "0xffff806700000000", "IoStatusInformation": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.748737", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x613", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0xffffffff8000189c", "IoCompletionInformation": "0xfffff5069e502898", "Count": "0x1", "NumEntriesRemoved": "0xfffff5069e5026bc", "Timeout": "0xfffff5069e5026d8", "Alertable": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.749019", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x617", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 137, "NArgs": 5, "PortHandle": "0x104", "PortInformationClass": "0x0", "PortInformation": "0x435237f548", "Length": "0x10", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.749202", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x619", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.749340", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x61b", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x104", "Flags": "0x0", "SendMessage": "0x0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x16a346dd670", "BufferLength": "0x435237f538", "ReceiveMessageAttributes": "0x435237f558", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.749519", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x61d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.749679", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x61f", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0x435237f458", "WorkerFactoryInformationLength": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.749875", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x621", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.750023", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x623", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x16a34b70dc8", "ThreadInformationLength": "0x8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.750191", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x625", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.750399", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x627", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x2c", "ThreadInformation": "0x435237f270", "ThreadInformationLength": "0x8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.750551", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x629", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.750692", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x62b", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0x435237f65c", "WorkerFactoryInformationLength": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.750885", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x62d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.751009", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0x62f", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 468, "NArgs": 2, "WorkerFactoryHandle": "0x1c", "MiniPacket": "0x16a351ae930"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.751225", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x631", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.751458", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x633", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xf50"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.751614", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x635", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.751767", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x637", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x19c4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.751941", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x639", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.752080", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x63b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x12c0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.752237", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x63d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.752395", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCancelWaitCompletionPacket", "EventUID": "0x63f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 149, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.752556", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x641", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.752704", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x643", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2714"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.752860", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x645", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.753010", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x647", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x19c0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.753166", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x649", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.753297", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x64b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x26fc"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.753535", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x64d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.753671", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCancelWaitCompletionPacket", "EventUID": "0x64f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 149, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.753827", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x651", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.753958", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x653", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x1484"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.754125", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x655", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 19, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.754259", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x657", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x263c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.754418", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x659", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.754557", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x65b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x13f0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.754794", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x65d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.754931", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCancelWaitCompletionPacket", "EventUID": "0x65f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 149, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.755091", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x661", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.755238", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x663", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x1820"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.755400", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x665", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.755564", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x667", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x13a4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.755722", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x669", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.755857", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x66b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x138c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.756023", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x66d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.756188", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x66f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.756401", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x671", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.756570", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x673", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x268c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.756757", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x675", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.757015", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x677", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0xf90", "KeyInformationClass": "0x7", "KeyInformation": "0xc17e1a8", "Length": "0x4", "ResultLength": "0xc17e1b8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.757168", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x679", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.757321", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x67b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0xc17e1d8", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.757543", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x67d", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 19, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.757959", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x67f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x268c", "ValueName": "NoStrCmpLogical", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0xc17e220", "Length": "0x10", "ResultLength": "0xc17e1d4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.758500", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x682", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x268c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.758538", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x683", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ffca0", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.758825", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x686", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2cc", "KeyInformationClass": "0x7", "KeyInformation": "0xc17e1a8", "Length": "0x4", "ResultLength": "0xc17e1b8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.758864", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x687", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.759157", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x68a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0xc17e1d8", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.759207", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x68b", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 49, "NArgs": 2, "PerformanceCounter": "0x86900ffa40", "PerformanceFrequency": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.759497", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetTimerEx", "EventUID": "0x68e", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 432, "NArgs": 4, "TimerHandle": "0x280", "TimerSetInformationClass": "0x0", "TimerSetInformation": "0x86900ff950", "TimerSetInformationLength": "0x30"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.759698", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryWnfStateData", "EventUID": "0x690", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 356, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.759733", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionBeginFrame", "EventUID": "0x691", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 286, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.759810", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x692", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "NArgs": 1, "EventHandle": "0xffffffff80000758"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.760078", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x696", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0xc17c490"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.760170", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x697", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0xc17c490"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.760285", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionGetConnectionBatch", "EventUID": "0x698", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 305, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.760619", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x69c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0xc17c510"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.760656", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x69d", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0x450", "IoCompletionInformation": "0x86900ff400", "Count": "0x1", "NumEntriesRemoved": "0x86900ff3f0", "Timeout": "0x86900ff3f8", "Alertable": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.760732", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x69e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0xc17c510"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.761075", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForMultipleObjects", "EventUID": "0x6a2", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 91, "NArgs": 5, "Count": "0x1", "Handles[]": "0x1c25606f540", "WaitType": "0x1", "Alertable": "0x0", "Timeout": "0x86900fef50"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.761243", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6a4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0xc17dfb0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.761321", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6a5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0xc17dfb0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.761388", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x6a6", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 369, "NArgs": 6, "IoCompletionHandle": "0x450", "IoCompletionInformation": "0x86900ff400", "Count": "0x1", "NumEntriesRemoved": "0x86900ff3f0", "Timeout": "0x86900ff3f8", "Alertable": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.761715", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6aa", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ff770", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.761805", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6ab", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x17", "ProcessInformation": "0xc17d4e0", "ProcessInformationLength": "0x24", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.762076", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionGetFrameLegacyTokens", "EventUID": "0x6ae", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 307, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.762154", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6af", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0xc17dfb0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.762259", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6b1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0xc17dfb0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.762507", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiHLSurfGetInformation", "EventUID": "0x6b4", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 733, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.762717", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6b6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x17", "ProcessInformation": "0xc17d4e0", "ProcessInformationLength": "0x24", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.762801", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiGetRegionData", "EventUID": "0x6b7", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 64, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.763053", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6ba", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0xc17dc30"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.763147", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6bb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0xc17dc30"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.763224", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiGetRegionData", "EventUID": "0x6bc", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 64, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.763574", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x6c0", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 35, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.763662", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6c1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x17", "ProcessInformation": "0xc17dc30", "ProcessInformationLength": "0x24", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.763972", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionGetFrameSurfaceUpdates", "EventUID": "0x6c4", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 309, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.764056", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryWnfStateData", "EventUID": "0x6c5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 356, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.764340", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6c8", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ff770", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.764481", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x6ca", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xbb4", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.764700", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6cc", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.764796", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6cd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0xc17e7f0", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.765040", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDICheckMonitorPowerState", "EventUID": "0x6d0", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 433, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.765121", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x6d1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0xc17e848", "DesiredAccess": "0x400", "ObjectAttributes": "0xc17e7f0", "ClientId": "0xc17e7e0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.766265", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDICheckVidPnExclusiveOwnership", "EventUID": "0x6d4", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 439, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.766354", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x6d5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0xc17e860"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.766458", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x6d7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0xc17e860"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.766685", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6d9", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.766938", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x6dc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x2550", "TokenInformationClass": "0x1", "TokenInformation": "0xc17e900", "TokenInformationLength": "0xa0", "ReturnLength": "0xc17e880"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.767027", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6dd", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ff770", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.767261", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x6e0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0xc17e7d8", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.767406", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6e1", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ff6f0", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.767667", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x6e4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2550"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.767742", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6e5", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ff770", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.767990", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x6e8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x268c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.768075", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6e9", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x17", "ThreadInformation": "0x86900ff5d0", "ThreadInformationLength": "0x10", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.768316", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x6ec", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xbb4", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.768535", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x6ee", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 49, "NArgs": 2, "PerformanceCounter": "0x86900ff8c0", "PerformanceFrequency": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.768620", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtTraceControl", "EventUID": "0x6ef", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 452, "NArgs": 6, "FunctionCode": "0xc", "InBuffer": "0x0", "InBufferLen": "0x0", "OutBuffer": "0xc17e610", "OutBufferLen": "0x10", "ReturnLength": "0xc17e518"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.768839", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x6f2", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 49, "NArgs": 2, "PerformanceCounter": "0x86900ff960", "PerformanceFrequency": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.769088", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationFile", "EventUID": "0x6f5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 17, "NArgs": 5, "FileHandle": "\\Users\\litter\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db", "IoStatusBlock": "0xc17e4d0", "FileInformation": "0xc17e4e0", "Length": "0x18", "FileInformationClass": "0x5"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.769232", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6f6", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.769462", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtTraceControl", "EventUID": "0x6f9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 452, "NArgs": 6, "FunctionCode": "0xc", "InBuffer": "0x0", "InBufferLen": "0x0", "OutBuffer": "0xc17e870", "OutBufferLen": "0x10", "ReturnLength": "0xc17e798"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.769551", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6fa", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.769836", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x6fe", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "NArgs": 1, "EventHandle": "0xba4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.769917", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x6ff", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0xbb4", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.770170", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x702", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "NArgs": 1, "EventHandle": "0xcd0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.770252", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x703", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2664"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.770493", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x706", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "NArgs": 1, "EventHandle": "0xcd8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.770575", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x707", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "NArgs": 5, "ProcessHandle": "0xffffffffffffffff", "ProcessInformationClass": "0x0", "ProcessInformation": "0xc17e800", "ProcessInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.770821", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDISubmitCommand", "EventUID": "0x70a", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 597, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.770905", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x70b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "NArgs": 4, "ProcessHandle": "0xc17e858", "DesiredAccess": "0x400", "ObjectAttributes": "0xc17e800", "ClientId": "0xc17e7f0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.771226", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtReleaseWorkerFactoryWorker", "EventUID": "0x70d", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 368, "NArgs": 1, "WorkerFactoryHandle": "0xbac"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.771667", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x710", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0xcd0", "Alertable": "0x0", "Timeout": "0x86907ff458"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.771741", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDISignalSynchronizationObjectFromGpu2", "EventUID": "0x711", "Module": "win32k", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 596, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.772060", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtCreateEvent", "EventUID": "0x714", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 72, "NArgs": 5, "EventHandle": "0x86900fe0a0", "DesiredAccess": "0x1f0003", "ObjectAttributes": "0x0", "EventType": "0x0", "InitialState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.772246", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtReleaseWorkerFactoryWorker", "EventUID": "0x716", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 368, "NArgs": 1, "WorkerFactoryHandle": "0xbac"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.772410", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtCreateEvent", "EventUID": "0x718", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 72, "NArgs": 5, "EventHandle": "0x86900fe070", "DesiredAccess": "0x1f0003", "ObjectAttributes": "0x0", "EventType": "0x0", "InitialState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.772770", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIPresent", "EventUID": "0x71a", "Module": "win32k", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 543, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.773047", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x71c", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0xba4", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.773860", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x71e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "NArgs": 3, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "TokenHandle": "0xc17e870"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.773938", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x71f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "NArgs": 4, "ProcessHandle": "0xffffffffffffffff", "DesiredAccess": "0x8", "HandleAttributes": "0x0", "TokenHandle": "0xc17e870"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.774227", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x722", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xbc4", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.774374", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x724", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0x268c", "TokenInformationClass": "0x1", "TokenInformation": "0xc17e910", "TokenInformationLength": "0xa0", "ReturnLength": "0xc17e890"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.774548", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x726", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "NArgs": 2, "EventHandle": "0xcd8", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.774939", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x728", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "NArgs": 2, "EventHandle": "0x10f4", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.774975", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x729", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "NArgs": 4, "MutantHandle": "0xc17e7e8", "DesiredAccess": "0x1f0001", "ObjectAttributes": "Global\\C::Users:litter:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs", "InitialOwner": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.775306", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x72c", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 4, "NArgs": 3, "Handle": "0x10ec", "Alertable": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.775444", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x72d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x268c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.775587", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x72f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.775712", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x731", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2664"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.775929", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x733", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.775998", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x734", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2550"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.776231", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x737", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.776314", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x738", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0x924", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.776532", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x73b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.776609", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x73c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "NArgs": 2, "MutantHandle": "0xbb4", "PreviousCount": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.776886", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x73f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.776966", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x740", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x364", "Alertable": "0x0", "Timeout": "0xc17e638"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.777223", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x743", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.777300", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x744", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 2, "EventHandle": "0x878", "PreviousState": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.777511", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x747", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.777654", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x749", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x878"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.777866", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x74b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.777962", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserMsgWaitForMultipleObjectsEx", "EventUID": "0x74c", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1158, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.778219", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x74f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.778295", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x750", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd18", "Length": "0x4", "ResultLength": "0x27abd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.778553", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x753", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 19, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.778586", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x754", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abda8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\*", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.778916", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x757", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.778951", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x758", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x87a", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac100", "Length": "0x180", "ResultLength": "0x27ac0ec"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.779237", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x75b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.779372", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x75d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x87a", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd30", "Length": "0x4", "ResultLength": "0x27abd68"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.779536", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x75f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.779675", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x761", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x87a", "KeyInformationClass": "0x7", "KeyInformation": "0x27abca8", "Length": "0x4", "ResultLength": "0x27abcb8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.779833", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x763", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.779962", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x765", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd38", "DesiredAccess": "0x1", "ObjectAttributes": "\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.780153", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x766", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.780427", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x769", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.780460", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x76a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd48", "DesiredAccess": "0x1", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\*\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.780820", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x76d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.780975", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x76f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac170", "Length": "0x180", "ResultLength": "0x27ac15c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.781126", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x770", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.781430", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x773", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.781465", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x774", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abda0", "Length": "0x4", "ResultLength": "0x27abdd8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.781731", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x777", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2cc", "KeyInformationClass": "0x7", "KeyInformation": "0x16cc78", "Length": "0x4", "ResultLength": "0x16cc88"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.781770", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x778", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd18", "Length": "0x4", "ResultLength": "0x27abd28"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.782047", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x77b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16cca8", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.782100", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x77c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abda8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\AllFilesystemObjects", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.782434", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x77f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b4", "ValueName": "0x16cfe8", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x16cea0", "Length": "0x90", "ResultLength": "0x16ce54"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.782585", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x780", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abdb8", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\AllFilesystemObjects", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.782929", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x783", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.782964", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x784", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2552", "KeyInformationClass": "0x3", "KeyInformation": "0x27ac100", "Length": "0x180", "ResultLength": "0x27ac0ec"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.783245", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x787", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "TokenHandle": "0x16d018"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.783329", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x788", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0xc", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0x16d018"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.783506", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x78a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2552", "KeyInformationClass": "0x7", "KeyInformation": "0x27abd30", "Length": "0x4", "ResultLength": "0x27abd68"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.783800", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x78d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f0", "KeyInformationClass": "0x7", "KeyInformation": "0x16cce8", "Length": "0x4", "ResultLength": "0x16ccf8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.783842", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x78e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x27abc20", "TokenInformationLength": "0x58", "ReturnLength": "0x27abc18"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.784124", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x791", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16cd18", "DesiredAccess": "0x1", "ObjectAttributes": "\\SessionInfo\\2", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.784193", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x792", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd38", "DesiredAccess": "0x1", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\AllFilesystemObjects\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.784494", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x795", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x8b4", "KeyInformationClass": "0x7", "KeyInformation": "0x16cc98", "Length": "0x4", "ResultLength": "0x16cca8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.784663", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x797", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2552", "KeyInformationClass": "0x7", "KeyInformation": "0x27abca8", "Length": "0x4", "ResultLength": "0x27abcb8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.784824", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x799", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16ccc8", "DesiredAccess": "0x1", "ObjectAttributes": "\\Desktop\\NameSpace\\NameCustomizations", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.784987", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x79a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x27abd48", "DesiredAccess": "0x1", "ObjectAttributes": "\\ShellEx\\{000214F9-0000-0000-C000-000000000046}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.785290", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x79d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.785478", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x79f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x264a"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.785642", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7a1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2cc", "KeyInformationClass": "0x7", "KeyInformation": "0x16cb48", "Length": "0x4", "ResultLength": "0x16cb58"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.785837", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7a3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2696"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.785986", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7a5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16cb78", "DesiredAccess": "0x1", "ObjectAttributes": "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.786139", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7a7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0xbe6"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.786301", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x7a9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x8b4", "ValueName": "0x16ceb8", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x16cd70", "Length": "0x90", "ResultLength": "0x16cd24"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.786449", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7aa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x87a"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.786727", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7ad", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x8b4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.786782", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7ae", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2552"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.787115", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7b1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x3", "KeyInformation": "0x16cb50", "Length": "0x180", "ResultLength": "0x16cb3c"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.787159", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7b2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2570"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.787494", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtTraceControl", "EventUID": "0x7b5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 452, "NArgs": 6, "FunctionCode": "0xc", "InBuffer": "0x0", "InBufferLen": "0x0", "OutBuffer": "0x27ae5d0", "OutBufferLen": "0x10", "ReturnLength": "0x27ae468"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.787634", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7b7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x16c780", "Length": "0x4", "ResultLength": "0x16c7b8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.787928", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7ba", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x3f6", "KeyInformationClass": "0x7", "KeyInformation": "0x16c6f8", "Length": "0x4", "ResultLength": "0x16c708"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.787966", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateSemaphore", "EventUID": "0x7bb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 192, "NArgs": 5, "SemaphoreHandle": "0x27ae3c8", "DesiredAccess": "0x1f0003", "ObjectAttributes": "ThumbnailCache.SimultaneousExtractions.{66526bdc-5216-40c2-b496-d1eb7c2223a4}", "InitialCount": "0xa", "MaximumCount": "0xa"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.788340", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7be", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16c788", "DesiredAccess": "0x20019", "ObjectAttributes": "\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.788393", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x7bf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x2570", "Alertable": "0x0", "Timeout": "0x27ae3a8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.788711", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x7c2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x364", "Alertable": "0x0", "Timeout": "0x27ad8d8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.788880", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7c4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16c798", "DesiredAccess": "0x20019", "ObjectAttributes": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.789053", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x7c5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "NArgs": 3, "Handle": "0x364", "Alertable": "0x0", "Timeout": "0x27acd88"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.789560", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x7c8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0x20008", "OpenAsSelf": "0x1", "TokenHandle": "0x27acde0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.789614", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7c9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2552", "KeyInformationClass": "0x3", "KeyInformation": "0x16cbe0", "Length": "0x188", "ResultLength": "0x16cbbc"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.789698", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x7ca", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0x20008", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0x27acde0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.790125", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7ce", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "NArgs": 5, "KeyHandle": "0x2552", "KeyInformationClass": "0x7", "KeyInformation": "0x16c800", "Length": "0x4", "ResultLength": "0x16c838"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.790211", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserCallOneParam", "EventUID": "0x7cf", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 2, "NArgs": 0}
+{"Plugin": "syscall", "TimeStamp": "1716999134.790412", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x7d2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "NArgs": 5, "TokenHandle": "0xfffffffffffffffa", "TokenInformationClass": "0x1", "TokenInformation": "0x16c6f0", "TokenInformationLength": "0x58", "ReturnLength": "0x16c6e8"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.790493", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x7d3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x43c", "Flags": "0x800000", "SendMessage": "0xb54b140", "SendMessageAttributes": "0x4b4108", "ReceiveMessage": "0x0", "BufferLength": "0x0", "ReceiveMessageAttributes": "0x0", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.790711", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7d5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "NArgs": 4, "KeyHandle": "0x16c808", "DesiredAccess": "0x2000000", "ObjectAttributes": "\\REGISTRY\\USER\\S-1-5-21-4104315648-1236803029-4234352119-1001_Classes\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}", "OpenOptions": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.790935", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x7d7", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 137, "NArgs": 5, "PortHandle": "0x104", "PortInformationClass": "0x0", "PortInformation": "0x435237f548", "Length": "0x10", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.791173", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x7da", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "NArgs": 6, "KeyHandle": "0x2552", "ValueName": "LocalizedString", "KeyValueInformationClass": "0x2", "KeyValueInformation": "0x16ce50", "Length": "0x90", "ResultLength": "0x16ce04"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.791272", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x7db", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 140, "NArgs": 8, "PortHandle": "0x104", "Flags": "0x0", "SendMessage": "0x0", "SendMessageAttributes": "0x0", "ReceiveMessage": "0x16a346d2c70", "BufferLength": "0x435237f538", "ReceiveMessageAttributes": "0x435237f558", "Timeout": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.791575", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x7de", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 416, "NArgs": 4, "WorkerFactoryHandle": "0x1c", "WorkerFactoryInformationClass": "0x9", "WorkerFactoryInformation": "0x435237f458", "WorkerFactoryInformationLength": "0x4"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.791695", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryAttributesFile", "EventUID": "0x7df", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 61, "NArgs": 2, "ObjectAttributes": "\\??\\C:\\Windows\\system32\\shell32.dll", "FileInformation": "0x16c640"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.792067", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcImpersonateClientOfPort", "EventUID": "0x7e2", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 134, "NArgs": 3, "PortHandle": "0x6d0", "PortMessage": "0x16a346d2c70", "Reserved": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.792150", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryVirtualMemory", "EventUID": "0x7e3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 35, "NArgs": 6, "ProcessHandle": "0xffffffffffffffff", "BaseAddress": "0x33c0000", "MemoryInformationClass": "0x3", "MemoryInformation": "0x16c6c8", "MemoryInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.792382", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenThreadToken", "EventUID": "0x7e6", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 36, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0x2000000", "OpenAsSelf": "0x1", "TokenHandle": "0x435237f020"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.792462", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x7e7", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 47, "NArgs": 5, "ThreadHandle": "0xfffffffffffffffe", "DesiredAccess": "0x2000000", "OpenAsSelf": "0x1", "HandleAttributes": "0x0", "TokenHandle": "0x435237f020"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.792536", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryVirtualMemory", "EventUID": "0x7e8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 35, "NArgs": 6, "ProcessHandle": "0xffffffffffffffff", "BaseAddress": "0x33c0000", "MemoryInformationClass": "0x3", "MemoryInformation": "0x16ca20", "MemoryInformationLength": "0x30", "ReturnLength": "0x0"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.792887", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7ec", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "NArgs": 1, "Handle": "0x2552"}
+{"Plugin": "syscall", "TimeStamp": "1716999134.792962", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x7ed", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 13, "NArgs": 4, "ThreadHandle": "0xfffffffffffffffe", "ThreadInformationClass": "0x5", "ThreadInformation": "0x435237ef98", "ThreadInformationLength": "0x8"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.580523", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x18", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.580724", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAssociateWaitCompletionPacket", "EventUID": "0x1a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 144, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.581350", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x1e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.581566", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x20", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.581748", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x22", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.582454", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAssociateWaitCompletionPacket", "EventUID": "0x26", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 144, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.582641", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x28", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.583136", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x2b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.583219", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x2c", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 137, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.583248", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x2d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.583557", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x30", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.583587", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserValidateTimerCallback", "EventUID": "0x31", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.583875", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x34", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.583904", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserKillTimer", "EventUID": "0x35", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 27, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.584366", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x38", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.584400", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSetTimer", "EventUID": "0x39", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "Ret": 32422, "Info": "SUCCESS:0:NONE:0x7ea6"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.584848", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x3c", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.584965", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x3e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.585179", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x41", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.585252", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x42", "Module": "nt", "vCPU": 1, "CR3": "0xd378002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.585377", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x44", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 419, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.585572", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x47", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.585672", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x48", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.585744", "PID": 3888, "PPID": 2852, "TID": 1364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x49", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.586093", "PID": 3888, "PPID": 2852, "TID": 1364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetTimerEx", "EventUID": "0x4b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 432, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.586262", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUpdateWnfStateData", "EventUID": "0x4d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 463, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.586838", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x51", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.586929", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x52", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.587428", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x56", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.587576", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x58", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 137, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.587766", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x5b", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.587896", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.587967", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x5e", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.588184", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x61", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.588253", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x62", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.588370", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtDuplicateObject", "EventUID": "0x64", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 60, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.588561", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtDuplicateObject", "EventUID": "0x67", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 60, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.588631", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x68", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.588755", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtClose", "EventUID": "0x6a", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.588955", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x6d", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.589206", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x70", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.589532", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x73", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.589564", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcQueryInformationMessage", "EventUID": "0x74", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 138, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.589893", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x77", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.590049", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x78", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.590397", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.590521", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x7c", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.590772", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtClose", "EventUID": "0x7f", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.590815", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x80", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.590981", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x82", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.591159", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0x85", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 468, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.591310", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x87", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.591338", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x88", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 137, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.591490", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x8a", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.591675", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x8d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.591703", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x8e", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.591854", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x90", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.592032", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x93", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.592060", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x94", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.592225", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x96", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.592547", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x9a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.592884", "PID": 3888, "PPID": 2852, "TID": 7160, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x9d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.593047", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x9e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.593259", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0xa0", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.593473", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0xa3", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 137, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.593572", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xa4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.593710", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0xa6", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.593894", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0xa9", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.593972", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xaa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.594092", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0xac", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.594329", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtClose", "EventUID": "0xaf", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.594424", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0xb0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.594557", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0xb2", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.594786", "PID": 2820, "PPID": 636, "TID": 5892, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0xb5", "Module": "nt", "vCPU": 0, "CR3": "0x32650002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.595021", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0xb7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.595068", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0xb8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.595425", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtDuplicateObject", "EventUID": "0xbb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 60, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.595557", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0xbc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.595731", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0xbe", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.596031", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xc1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.596059", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryObject", "EventUID": "0xc2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 16, "Ret": 3221225476, "Info": "STATUS_INFO_LENGTH_MISMATCH"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.607682", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xc5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.607717", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryObject", "EventUID": "0xc6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 16, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.608011", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0xc9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.608039", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryObject", "EventUID": "0xca", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 16, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.608344", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetInformationObject", "EventUID": "0xcd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 92, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.608537", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0xce", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.608838", "PID": 3888, "PPID": 2852, "TID": 364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenSection", "EventUID": "0xd0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 55, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.609235", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0xd3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.609872", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenFile", "EventUID": "0xd6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 51, "Ret": 3221225530, "Info": "STATUS_OBJECT_PATH_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.609964", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xd7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.610256", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0xd9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.610572", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateDIBitmapInternal", "EventUID": "0xdc", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 156, "Ret": 1896155399, "Info": "INFO:1:UNKNOWN:0x907"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.610644", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0xdd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.610921", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0xe0", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 8716303, "Info": "SUCCESS:0:(null):0xf"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.611093", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0xe1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.611207", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCforBitmap", "EventUID": "0xe3", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 152, "Ret": 67174810, "Info": "SUCCESS:0:UNKNOWN:0x19a"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.611534", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSaveDC", "EventUID": "0xe6", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 59, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.611600", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0xe7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.611848", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0xea", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 1896155399, "Info": "INFO:1:UNKNOWN:0x907"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.611917", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0xeb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.612168", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCObject", "EventUID": "0xee", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 53, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.612246", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateEvent", "EventUID": "0xef", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 72, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.612501", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0xf2", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.612734", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0xf4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.612823", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0xf5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.612980", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSetDIBitsToDeviceInternal", "EventUID": "0xf7", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 41, "Ret": 48, "Info": "SUCCESS:0:NONE:0x30"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.613231", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0xfa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.613329", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0xfb", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.613653", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateFile", "EventUID": "0xfe", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 85, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.613751", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0xff", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 1896155399, "Info": "INFO:1:UNKNOWN:0x907"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.613977", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x101", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.614130", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiRestoreDC", "EventUID": "0x103", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 58, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.614342", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x105", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.614459", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x107", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 1896155399, "Info": "INFO:1:UNKNOWN:0x907"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.614726", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x10a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.614855", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetDC", "EventUID": "0x10b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 10, "Ret": 671156285, "Info": "SUCCESS:1:UNKNOWN:0x83d"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.616430", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReadFile", "EventUID": "0x10e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 6, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.616526", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateDIBitmapInternal", "EventUID": "0x10f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 156, "Ret": 18446744072921352432, "Info": "ERROR:0:UNKNOWN:0x8f0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.616732", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x111", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.616874", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserReleaseDC", "EventUID": "0x113", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 1196, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.617161", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x115", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.617271", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x117", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 8716303, "Info": "SUCCESS:0:(null):0xf"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.617543", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x11a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.617612", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCforBitmap", "EventUID": "0x11b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 152, "Ret": 67174810, "Info": "SUCCESS:0:UNKNOWN:0x19a"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.617858", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x11e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.617942", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSaveDC", "EventUID": "0x11f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 59, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.618140", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x121", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.618255", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x123", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 18446744072921352432, "Info": "ERROR:0:UNKNOWN:0x8f0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.618503", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x126", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.618581", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCObject", "EventUID": "0x127", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 53, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.618781", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x129", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.618914", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x12b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.619113", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x12d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.619251", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSetDIBitsToDeviceInternal", "EventUID": "0x12f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 41, "Ret": 96, "Info": "SUCCESS:0:NONE:0x60"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.619485", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x132", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.619596", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x133", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.619846", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x136", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.619925", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x137", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 18446744072921352432, "Info": "ERROR:0:UNKNOWN:0x8f0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.620126", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x139", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.620250", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiRestoreDC", "EventUID": "0x13b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 58, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.620450", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x13d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.620565", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x13f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 18446744072921352432, "Info": "ERROR:0:UNKNOWN:0x8f0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.620786", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x141", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.620908", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateCompatibleDC", "EventUID": "0x143", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 84, "Ret": 302057640, "Info": "SUCCESS:0:UNKNOWN:0x8a8"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.621143", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x146", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.621220", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x147", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.621431", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x149", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.621611", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateBitmap", "EventUID": "0x14b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 107, "Ret": 168101667, "Info": "SUCCESS:0:UNKNOWN:0x723"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.621897", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x14e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.621975", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x14f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 8716303, "Info": "SUCCESS:0:(null):0xf"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.622194", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x152", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.622270", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x153", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 8716303, "Info": "SUCCESS:0:(null):0xf"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.622511", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x156", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.622669", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiBitBlt", "EventUID": "0x157", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 8, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.622912", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x15a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.622988", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x15b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 18446744072921352432, "Info": "ERROR:0:UNKNOWN:0x8f0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.623204", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x15e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.623277", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x15f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 168101667, "Info": "SUCCESS:0:UNKNOWN:0x723"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.623495", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x162", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.623632", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x163", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 35, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.623897", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x166", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.623985", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x167", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 35, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.624293", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x16a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.624368", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserCreateEmptyCursorObject", "EventUID": "0x16b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 956, "Ret": 1311641, "Info": "SUCCESS:0:ACPI_ERROR_CODE:0x399"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.624698", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x16e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.624730", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSetCursorIconData", "EventUID": "0x16f", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 158, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.625090", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x173", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.625532", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUnmapViewOfSectionEx", "EventUID": "0x174", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 461, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.625622", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUnmapViewOfSection", "EventUID": "0x175", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 42, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.625783", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x177", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.625946", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x179", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.626118", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x17b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.626323", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x17d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.626627", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x180", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.626654", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetInformationKey", "EventUID": "0x181", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 409, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.626962", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x184", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.627109", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x185", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.627282", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x187", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.627620", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x18a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.627660", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x18b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.628050", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x18e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.628079", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x18f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.628417", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x192", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.628537", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x193", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.628706", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x195", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.629036", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x198", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.629064", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x199", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.629462", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x19c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.629493", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x19d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.629791", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x1a0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.629930", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1a1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.630297", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1a4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.630409", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1a5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.630574", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1a7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.630850", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1aa", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.630877", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1ab", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.631224", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationFile", "EventUID": "0x1ae", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 17, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.631252", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x1af", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.631573", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationFile", "EventUID": "0x1b2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 17, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.631600", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x1b3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.631867", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1b6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.631894", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x1b7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.632218", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1ba", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.632335", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1bb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.632501", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1bd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.633114", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1c0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.633249", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x1c1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.633394", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1c3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.633571", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x1c5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.633722", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1c7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.633903", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x1c9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.634065", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1cb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.634402", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x1ce", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.634430", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1cf", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.634698", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1d2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.634738", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetIconInfo", "EventUID": "0x1d3", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 79, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.634987", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1d6", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.635016", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1d7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.635282", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1da", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.635309", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetDC", "EventUID": "0x1db", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 10, "Ret": 671156285, "Info": "SUCCESS:1:UNKNOWN:0x83d"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.635553", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1de", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.635580", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDIBitsInternal", "EventUID": "0x1df", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 130, "Ret": 48, "Info": "SUCCESS:0:NONE:0x30"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.635835", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1e2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.635863", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserReleaseDC", "EventUID": "0x1e3", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1196, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.636117", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1e6", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.636145", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1e7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.636410", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1ea", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.636437", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x1eb", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 35, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.636710", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1ee", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.636738", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1ef", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.637002", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x1f2", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.637030", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1f3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.637293", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1f6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.637320", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDIBitsInternal", "EventUID": "0x1f7", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 130, "Ret": 48, "Info": "SUCCESS:0:NONE:0x30"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.637659", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x1fb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.637735", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAllocateVirtualMemory", "EventUID": "0x1fc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 24, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.637811", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateDIBSection", "EventUID": "0x1fd", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 151, "Ret": 839190122, "Info": "SUCCESS:1:UNKNOWN:0x66a"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.637927", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x1ff", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.638152", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x202", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "Ret": 8716303, "Info": "SUCCESS:0:(null):0xf"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.638225", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x203", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.638452", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCforBitmap", "EventUID": "0x206", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 152, "Ret": 67174810, "Info": "SUCCESS:0:UNKNOWN:0x19a"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.638538", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x207", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.638763", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSaveDC", "EventUID": "0x20a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 59, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.638837", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x20b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.639086", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x20e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "Ret": 839190122, "Info": "SUCCESS:1:UNKNOWN:0x66a"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.639159", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x20f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.639403", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCObject", "EventUID": "0x212", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 53, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.639478", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x213", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.639729", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x216", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 29, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.639795", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x217", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.640040", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSetDIBitsToDeviceInternal", "EventUID": "0x21a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 41, "Ret": 48, "Info": "SUCCESS:0:NONE:0x30"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.640105", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x21b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.640369", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSelectPalette", "EventUID": "0x21e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 29, "Ret": 8912907, "Info": "SUCCESS:0:(null):0xb"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.640445", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x21f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.640687", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x222", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "Ret": 839190122, "Info": "SUCCESS:1:UNKNOWN:0x66a"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.640764", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x223", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.641000", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiRestoreDC", "EventUID": "0x226", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 58, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.641064", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x227", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.641297", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x22a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 11, "Ret": 839190122, "Info": "SUCCESS:1:UNKNOWN:0x66a"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.641371", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x22b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.641621", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x22e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.641687", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x22f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.641919", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x232", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.641983", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x233", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.642218", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x236", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.642282", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x237", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.642513", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExtGetObjectW", "EventUID": "0x23a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 82, "Ret": 32, "Info": "SUCCESS:0:NONE:0x20"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.642589", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x23b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.642852", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x23e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.642929", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x23f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.643174", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x242", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.643242", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x243", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.643517", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x246", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.644635", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x247", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.645010", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x24b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.645067", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x24c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.645134", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x24d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.645391", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x250", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.645459", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x251", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.645776", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x254", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.645887", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x255", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.646057", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x257", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.646212", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x259", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.646368", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x25b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.646523", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x25d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.646692", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x25f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.646848", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x261", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.646983", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x263", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.647127", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x265", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.647296", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x267", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.647472", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x269", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.647702", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x26b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.647885", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x26d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.648026", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x26f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.648184", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x271", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.648768", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x273", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.649056", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x277", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.649142", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x278", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.649169", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x279", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.649422", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x27c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.649461", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x27d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.649761", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x280", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.649788", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x281", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.650059", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x284", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.650085", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x285", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.650342", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x288", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.650367", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x289", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.650625", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x28c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.650651", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x28d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.650923", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x290", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.650948", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x291", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.651203", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x294", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.651229", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x295", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.651521", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x298", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.651547", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenFile", "EventUID": "0x299", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 51, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.651854", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x29c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.651881", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryVolumeInformationFile", "EventUID": "0x29d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 73, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.652134", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2a0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.652159", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2a1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.652402", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2a4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.652428", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2a5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.652698", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x2a8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.652724", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2a9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.652997", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2ac", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.653262", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2ad", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.653601", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2b1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.653671", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x2b2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.653776", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x2b3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.653937", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2b5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.654086", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x2b7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.654250", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2b9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.654425", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x2bb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.654563", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2bd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.654728", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2bf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.654878", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2c1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.655022", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2c3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.655166", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2c5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.655292", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2c7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.655451", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2c9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.655598", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2cb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.655755", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2cd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.655899", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2cf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.656042", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2d1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.656191", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x2d3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.656334", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2d5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.656494", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.656947", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2d9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.657199", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x2dc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.657321", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x2de", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.657348", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2df", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.657630", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x2e2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.657687", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2e3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.657986", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2e6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.658013", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x2e7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.658269", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2ea", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.658295", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2eb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.658566", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2ee", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.658593", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2ef", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.658863", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x2f2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.658889", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2f3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.659166", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x2f6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.659198", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2f7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.659460", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x2fa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.659486", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2fb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.659772", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2fe", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.659800", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x2ff", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.660075", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x302", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.660102", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x303", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.660382", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x306", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.660646", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x307", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.660996", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x30b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.661063", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x30c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.661153", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x30d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.661315", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x30f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.661460", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x311", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.661619", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x313", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.661802", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x315", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.661941", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x317", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.662107", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x319", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.662258", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x31b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.662404", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x31d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.662551", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x31f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.662716", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x321", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.662867", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x323", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.663013", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x325", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.663158", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x327", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.663323", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x329", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.663470", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x32b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.663639", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x32d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.663798", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x32f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.663966", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x331", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.664662", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x333", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.665046", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x337", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.665118", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x338", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.665228", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x339", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.665400", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x33b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.665584", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x33d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.665741", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x33f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.665927", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x341", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.666085", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x343", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.666262", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x345", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.666416", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x347", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.666566", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x349", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.666721", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x34b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.666878", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x34d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.667028", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x34f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.667178", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x351", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.667348", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x353", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.667505", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x355", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.667656", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x357", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.667807", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x359", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.667958", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x35b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.668112", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x35d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.668274", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x35f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.668446", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x361", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.668842", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x363", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.669140", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x367", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.669229", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x368", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.669271", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x369", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.669545", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x36c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.669572", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x36d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.669872", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x370", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.669900", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x371", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.670170", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x374", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.670222", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x375", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.670530", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x378", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.670562", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x379", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.670835", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x37c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.670862", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x37d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.671129", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x380", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.671156", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x381", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.671434", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x384", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.671461", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x385", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.671728", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x388", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.671755", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x389", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.672041", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x38c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.672324", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x38d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.672733", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x391", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.672815", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x392", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.672905", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x393", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.673065", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x395", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.673205", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x397", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.673382", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x399", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.673626", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x39b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.673763", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x39d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.673908", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x39f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.674053", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3a1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.674192", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3a3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.674351", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3a5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.674510", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3a7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.674666", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3a9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.674815", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x3ab", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.674959", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3ad", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.675104", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3af", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.675256", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3b1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.675422", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3b3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.675568", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3b5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.675736", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x3b7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.675887", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3b9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.676052", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3bb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.676610", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x3bf", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.676760", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x3c1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.676826", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x3c2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.676932", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x3c3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.677235", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x3c7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.677317", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x3c8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.677344", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x3c9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.677659", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x3cc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.677690", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x3cd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.677979", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3d0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.678005", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x3d1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.678291", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3d4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.678425", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x3d5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.678597", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x3d7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.678767", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3d9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.678908", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3db", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.679082", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x3dd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.679231", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3df", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.679404", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x3e1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.679561", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x3e3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.680088", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3e6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.680473", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x3e7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.680768", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x3eb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.680857", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x3ec", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.680885", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3ed", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.681252", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x3ef", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.681445", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAllocateVirtualMemory", "EventUID": "0x3f1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.681628", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x3f3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.682001", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3f6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.682028", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAllocateVirtualMemory", "EventUID": "0x3f7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.682439", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3f9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.682620", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x3fb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.682771", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3fd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.682929", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x3ff", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.683078", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x401", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.683216", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x403", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.683377", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x405", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.683536", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x407", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.683699", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x409", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.683881", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x40b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.684034", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x40d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.684205", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x40f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.684374", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x411", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.684966", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x415", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.685034", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x416", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.685128", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x417", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.685294", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x419", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.685449", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x41b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.685601", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x41d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.685774", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x41f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.685927", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x421", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.686073", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x423", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.686360", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x426", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.686391", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x427", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.686672", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x42a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.686698", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x42b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.686972", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x42e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.686999", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x42f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.687293", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x432", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.687324", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x433", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.687616", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x436", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.687732", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x437", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.687927", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x439", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.688319", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x43b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.688614", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x43f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.688697", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x440", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.688738", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x441", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.689015", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x444", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.689042", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x445", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.689346", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x448", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.689459", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x449", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.689622", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x44b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.689804", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x44d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.689947", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x44f", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.690151", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x452", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.690231", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x453", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.690516", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x456", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.690580", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x457", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.690847", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetInformationKey", "EventUID": "0x45a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 409, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.690915", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x45b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.691226", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x45e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.691294", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x45f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.691550", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x462", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.691619", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x463", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.691921", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x466", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.692199", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x467", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 49, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.692596", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x46c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.692665", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x46d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.692717", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x46e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.692787", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x46f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.693067", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x472", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.693291", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x475", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.693383", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x476", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.693615", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x479", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.693680", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x47a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.693994", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x47d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.694059", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x47e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.694304", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x481", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.694370", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x482", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.694616", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x485", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.694680", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x486", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.694970", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x489", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.695147", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x48a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.695263", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x48c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.697552", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x48e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.698429", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x491", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.698526", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x492", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.699041", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x494", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.699591", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x496", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.699942", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x498", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.700314", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x49a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.700595", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x49c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.700880", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x49e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.701094", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x4a0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.701468", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x4a2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.701707", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x4a4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.702026", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4a6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.702688", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x4a9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.702846", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x4aa", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.703160", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x4ac", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.703519", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x4ae", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.703820", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4b0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.704176", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4b2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.704496", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x4b4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.706124", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x4b6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.706500", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4b8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.706786", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x4ba", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.707235", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4bc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.708098", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x4bf", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.708191", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x4c0", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.708507", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x4c2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.708996", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x4c4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.709316", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4c6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.709703", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4c8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.710001", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x4ca", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.710316", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x4cc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.710735", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x4ce", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.711614", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetDCDword", "EventUID": "0x4cf", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 63, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.712109", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetRandomRgn", "EventUID": "0x4d1", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 43, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.712607", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiIntersectClipRect", "EventUID": "0x4d3", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 3, "Info": "STATUS_WAIT_3"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.713052", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetRandomRgn", "EventUID": "0x4d5", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 43, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.714070", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiBitBlt", "EventUID": "0x4d7", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 8, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.714435", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetRandomRgn", "EventUID": "0x4d9", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 43, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.714755", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiIntersectClipRect", "EventUID": "0x4db", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 32, "Ret": 3, "Info": "STATUS_WAIT_3"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.715090", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiExcludeClipRect", "EventUID": "0x4dd", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 150, "Ret": 3, "Info": "STATUS_WAIT_3"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.715514", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4df", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.715909", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e1", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.717380", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e3", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.717852", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e5", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.718086", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4e7", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.718427", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtFindAtom", "EventUID": "0x4ea", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 20, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.718665", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x4ec", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 65537, "Info": "DBG_EXCEPTION_HANDLED"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.719260", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserKillTimer", "EventUID": "0x4ee", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 27, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.719593", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiGetAppClipBox", "EventUID": "0x4f0", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 67, "Ret": 2, "Info": "STATUS_WAIT_2"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.720254", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiCreateCompatibleDC", "EventUID": "0x4f2", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 84, "Ret": 604047199, "Info": "SUCCESS:1:UNKNOWN:0x75f"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.720558", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x4f4", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 8716303, "Info": "SUCCESS:0:(null):0xf"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.721188", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiBitBlt", "EventUID": "0x4f6", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 8, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.721814", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x4f9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.722154", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiSelectBitmap", "EventUID": "0x4fa", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 11, "Ret": 18446744072485144931, "Info": "WARNING:1:UNKNOWN:0x963"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.722440", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x4fd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.722465", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x4fe", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 35, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.722744", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x501", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.722770", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x502", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.723203", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x505", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.723230", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x506", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.723670", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x509", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.723697", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x50a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.724003", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x50d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.724114", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x50e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.724458", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x511", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.724573", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x512", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.724916", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x515", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.724946", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x516", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.725227", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x519", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.725256", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x51a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.725758", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x51d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.725784", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x51e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.726056", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x521", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.726081", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x522", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.726397", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x525", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.726618", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x526", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.726919", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x529", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.726945", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x52a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.727242", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x52d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.727269", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x52e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.727696", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x532", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.727845", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQuerySystemInformation", "EventUID": "0x534", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 54, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.728011", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x536", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.728521", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x53b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.728703", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x53d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.728911", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x540", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.729091", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x542", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.729159", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x543", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.729290", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x545", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.729533", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x548", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.729622", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x549", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225507, "Info": "STATUS_BUFFER_TOO_SMALL"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.729883", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x54c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.729944", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x54d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.730245", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x550", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.730310", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x551", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.730436", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x553", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.730704", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x556", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.730761", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x557", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225507, "Info": "STATUS_BUFFER_TOO_SMALL"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.731023", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x55a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.731068", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x55b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.731334", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x55e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.731397", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x55f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.731875", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x562", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.731948", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x563", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.732110", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x565", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.732370", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x568", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.732454", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x569", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.732784", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateKey", "EventUID": "0x56c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.732864", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x56d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.733111", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x570", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.733309", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x572", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.733392", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x573", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.733690", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x576", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.733760", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x577", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.734017", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x57a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.734231", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQuerySystemInformation", "EventUID": "0x57b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 54, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.734295", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x57c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.734701", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x580", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.735035", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x584", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.735062", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x585", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.735244", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x587", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.735483", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryLicenseValue", "EventUID": "0x58a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 340, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.735648", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x58c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.735674", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x58d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.735956", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x590", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.736001", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x591", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225507, "Info": "STATUS_BUFFER_TOO_SMALL"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.736352", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x594", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.736507", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x596", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.736702", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x597", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.736918", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x59a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.737083", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x59c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.737221", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x59d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225507, "Info": "STATUS_BUFFER_TOO_SMALL"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.737403", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5a0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.737598", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5a1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.737768", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x5a4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.737899", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5a5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.738301", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5a8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.738332", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5a9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.738519", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKey", "EventUID": "0x5ab", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 18, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.738784", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5ae", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.738926", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5af", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.739183", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateKey", "EventUID": "0x5b2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 29, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.739339", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5b4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.739534", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5b5", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.739840", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5b8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.739872", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x5b9", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.740178", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5bc", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.740211", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5bd", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.740512", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5c0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.740546", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x5c1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.740886", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQuerySystemInformation", "EventUID": "0x5c2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 54, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.741229", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSystemParametersInfo", "EventUID": "0x5c5", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 66, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.741293", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5c6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.741613", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserSetTimer", "EventUID": "0x5c9", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 24, "Ret": 2, "Info": "STATUS_WAIT_2"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.741703", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5ca", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.742008", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserEndPaint", "EventUID": "0x5cd", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 25, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.742782", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5d0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.742814", "PID": 5740, "PPID": 5640, "TID": 5904, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x5d1", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.743309", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5d6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.743341", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtCancelTimer", "EventUID": "0x5d7", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 97, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.743621", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5da", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.743648", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x5db", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.743967", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5de", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.744111", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5df", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.744270", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5e1", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.744425", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5e3", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.744576", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x5e5", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.744887", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5e8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.744915", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDISetSyncRefreshCountWaitTarget", "EventUID": "0x5e9", "Module": "win32k", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 586, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.745484", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5ed", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.745809", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x5f1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.745920", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x5f3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 419, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.746094", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x5f6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.746154", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x5f7", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.746180", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x5f8", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.746465", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x5fb", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "Ret": 65886, "Info": "SUCCESS:0:DEBUGGER:0x15e"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.746557", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x5fc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.746775", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x5fe", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "Ret": 65886, "Info": "SUCCESS:0:DEBUGGER:0x15e"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.746914", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x600", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.747058", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x602", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.747348", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x605", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.747375", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x606", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.747678", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x609", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.747793", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x60a", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.748021", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x60d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.748523", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetIoCompletionEx", "EventUID": "0x612", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 419, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.748804", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0x614", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 468, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.748869", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x615", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 369, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.748957", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPeekMessage", "EventUID": "0x616", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 1, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.749141", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x618", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 137, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.749287", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x61a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "Ret": 65886, "Info": "SUCCESS:0:DEBUGGER:0x15e"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.749446", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x61c", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.749611", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetThreadState", "EventUID": "0x61e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 0, "Ret": 65886, "Info": "SUCCESS:0:DEBUGGER:0x15e"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.749803", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x620", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.749975", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x622", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.750125", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x624", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.750312", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x626", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.750486", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x628", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.750645", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x62a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.750821", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x62c", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.750982", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x62e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.751152", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x630", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.751362", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x632", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.751539", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x634", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.751716", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x636", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.751863", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x638", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.752035", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x63a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.752174", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x63c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.752333", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x63e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.752487", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCancelWaitCompletionPacket", "EventUID": "0x640", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 149, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.752657", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x642", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.752797", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x644", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.752952", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x646", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.753104", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x648", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.753252", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x64a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.753408", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x64c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.753626", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x64e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.753764", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCancelWaitCompletionPacket", "EventUID": "0x650", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 149, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.753913", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x652", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.754041", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x654", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.754215", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x656", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 19, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.754351", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x658", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.754511", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x65a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.754711", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x65c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.754884", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x65e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.755026", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCancelWaitCompletionPacket", "EventUID": "0x660", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 149, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.755179", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x662", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.755334", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x664", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.755495", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x666", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.755656", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x668", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.755811", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x66a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.755957", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x66c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.756124", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x66e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.756323", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x670", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.756507", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x672", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.756691", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x674", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.756927", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x676", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.757102", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x678", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.757256", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x67a", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.757468", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x67c", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.757655", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x67e", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 19, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.758167", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x680", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.758320", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForMultipleObjects", "EventUID": "0x681", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 91, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.758621", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x684", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.758648", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x685", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.758945", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x688", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.758973", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x689", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.759295", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x68c", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 49, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.759412", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x68d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.759574", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetTimerEx", "EventUID": "0x68f", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 432, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.759845", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryWnfStateData", "EventUID": "0x693", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 356, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.759923", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x694", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.759990", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionBeginFrame", "EventUID": "0x695", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 286, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.760321", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x699", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.760413", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x69a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.760442", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionGetConnectionBatch", "EventUID": "0x69b", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 305, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.760803", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x69f", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 369, "Ret": 258, "Info": "STATUS_TIMEOUT"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.760874", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6a0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.760988", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6a1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.761154", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForMultipleObjects", "EventUID": "0x6a3", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 91, "Ret": 258, "Info": "STATUS_TIMEOUT"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.761470", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6a7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.761521", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x6a8", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 369, "Ret": 258, "Info": "STATUS_TIMEOUT"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.761585", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6a9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.761857", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6ac", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.761925", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6ad", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.762191", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionGetFrameLegacyTokens", "EventUID": "0x6b0", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 307, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.762382", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6b2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.762479", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6b3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.762600", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiHLSurfGetInformation", "EventUID": "0x6b5", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 733, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.762848", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6b8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.762925", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiGetRegionData", "EventUID": "0x6b9", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 64, "Ret": 48, "Info": "SUCCESS:0:NONE:0x30"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.763301", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x6bd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.763354", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiGetRegionData", "EventUID": "0x6be", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 64, "Ret": 48, "Info": "SUCCESS:0:NONE:0x30"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.763430", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x6bf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.763701", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDeleteObjectApp", "EventUID": "0x6c2", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 35, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.763780", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6c3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.764096", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtDCompositionGetFrameSurfaceUpdates", "EventUID": "0x6c6", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 309, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.764184", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryWnfStateData", "EventUID": "0x6c7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 356, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.764446", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6c9", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.764578", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x6cb", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.764835", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6ce", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.764901", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x6cf", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.765176", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDICheckMonitorPowerState", "EventUID": "0x6d2", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 433, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.765259", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x6d3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.766391", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDICheckVidPnExclusiveOwnership", "EventUID": "0x6d6", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 439, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.766593", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x6d8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.766726", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x6da", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.766810", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6db", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.767065", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x6de", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.767133", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6df", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.767445", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x6e2", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.767524", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6e3", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.767795", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x6e6", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.767863", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6e7", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.768113", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x6ea", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.768181", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryInformationThread", "EventUID": "0x6eb", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 37, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.768409", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x6ed", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.768660", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x6f0", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 49, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.768889", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtTraceControl", "EventUID": "0x6f3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 452, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.768966", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtQueryPerformanceCounter", "EventUID": "0x6f4", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 49, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.769268", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationFile", "EventUID": "0x6f7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 17, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.769347", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6f8", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.769636", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIGetDeviceState", "EventUID": "0x6fc", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 488, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.769718", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtTraceControl", "EventUID": "0x6fd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 452, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.769966", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x700", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.770038", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x701", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.770286", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x704", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.770370", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x705", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.770615", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtClearEvent", "EventUID": "0x708", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 62, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.770697", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationProcess", "EventUID": "0x709", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 25, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.770963", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDISubmitCommand", "EventUID": "0x70c", "Module": "win32k", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 597, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.771488", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtReleaseWorkerFactoryWorker", "EventUID": "0x70f", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 368, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.771845", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x712", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.771874", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDISignalSynchronizationObjectFromGpu2", "EventUID": "0x713", "Module": "win32k", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 596, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.772174", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtCreateEvent", "EventUID": "0x715", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 72, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.772346", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtReleaseWorkerFactoryWorker", "EventUID": "0x717", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 368, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.772582", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtCreateEvent", "EventUID": "0x719", "Module": "nt", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 72, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.772888", "PID": 5740, "PPID": 5640, "TID": 5896, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtGdiDdDDIPresent", "EventUID": "0x71b", "Module": "win32k", "vCPU": 1, "CR3": "0x5ea78002", "Syscall": 543, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.773195", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x71d", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 38, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.774057", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessTokenEx", "EventUID": "0x720", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 48, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.774146", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcessToken", "EventUID": "0x721", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 297, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.774318", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x723", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.774484", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x725", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.774699", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x727", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.775082", "PID": 5740, "PPID": 5640, "TID": 5988, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe", "Method": "NtSetEvent", "EventUID": "0x72a", "Module": "nt", "vCPU": 0, "CR3": "0x5ea78002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.775242", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateMutant", "EventUID": "0x72b", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 180, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.775515", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x72e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.775686", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x730", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.775804", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x732", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.776032", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x735", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.776112", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x736", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.776350", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x739", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.776413", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x73a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.776655", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x73d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.776719", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtReleaseMutant", "EventUID": "0x73e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 32, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.777002", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x741", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.777064", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x742", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.777334", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x745", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.777396", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtSetEvent", "EventUID": "0x746", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 14, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.777620", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x748", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.777743", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x74a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.777996", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x74d", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.778106", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x74e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.778334", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x751", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.778395", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x752", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.778707", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x755", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 19, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.778739", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x756", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.779048", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x759", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.779169", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x75a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.779326", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x75c", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873504, "Info": "SUCCESS:0:UNKNOWN:0xb720"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.779468", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x75e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.779628", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x760", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.779770", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x762", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.779917", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x764", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.780238", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x767", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.780267", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x768", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 139210256, "Info": "SUCCESS:0:UNKNOWN:0x2e10"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.780574", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x76b", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.780729", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x76c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.780925", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x76e", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.781210", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x771", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.781239", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x772", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.781542", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x775", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.781571", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserGetProp", "EventUID": "0x776", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 14, "Ret": 44873632, "Info": "SUCCESS:0:UNKNOWN:0xb7a0"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.781846", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x779", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.781874", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x77a", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.782224", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x77d", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.782343", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x77e", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.782706", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x781", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.782736", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x782", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.783038", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x785", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.783171", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x786", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.783452", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x789", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.783597", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x78b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.783625", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x78c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.783918", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x78f", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.783946", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x790", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.784284", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x793", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.784423", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x794", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.784606", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x796", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.784759", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x798", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.785082", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x79b", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.785219", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x79c", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.785385", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x79e", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.785570", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7a0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.785751", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7a2", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.785920", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7a4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.786094", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7a6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.786236", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7a8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.786523", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x7ab", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 23, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.786551", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7ac", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.786872", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7af", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.786902", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7b0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.787242", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7b3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.787402", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7b4", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.787716", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7b8", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.787759", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtTraceControl", "EventUID": "0x7b9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 452, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.788136", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7bc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.788165", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtCreateSemaphore", "EventUID": "0x7bd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 192, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.788477", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x7c0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.788603", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7c1", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.788805", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x7c3", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.789340", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtWaitForSingleObject", "EventUID": "0x7c6", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 4, "Ret": 258, "Info": "STATUS_TIMEOUT"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.789371", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7c7", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.789843", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x7cb", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 47, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.789941", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenThreadToken", "EventUID": "0x7cc", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 36, "Ret": 3221225596, "Info": "STATUS_NO_TOKEN"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.789969", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7cd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.790245", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7d0", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.790319", "PID": 3888, "PPID": 2852, "TID": 2664, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserCallOneParam", "EventUID": "0x7d1", "Module": "win32k", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 2, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.790547", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryInformationToken", "EventUID": "0x7d4", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.790764", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtWaitForWorkViaWorkerFactory", "EventUID": "0x7d6", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 468, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.790978", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7d8", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.791043", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcQueryInformation", "EventUID": "0x7d9", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 137, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.791366", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcSendWaitReceivePort", "EventUID": "0x7dc", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 140, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.791427", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryValueKey", "EventUID": "0x7dd", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 23, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.791775", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationWorkerFactory", "EventUID": "0x7e0", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 416, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.791941", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryAttributesFile", "EventUID": "0x7e1", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 61, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.792190", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAlpcImpersonateClientOfPort", "EventUID": "0x7e4", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 134, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.792264", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryVirtualMemory", "EventUID": "0x7e5", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 35, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.792613", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryVirtualMemory", "EventUID": "0x7e9", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 35, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.792655", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenThreadTokenEx", "EventUID": "0x7ea", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 47, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.792741", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenThreadToken", "EventUID": "0x7eb", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 36, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.793001", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtClose", "EventUID": "0x7ee", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.793066", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtSetInformationThread", "EventUID": "0x7ef", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 13, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.793360", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserRedrawWindow", "EventUID": "0x7f2", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 19, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.793532", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtQueryInformationToken", "EventUID": "0x7f4", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.793687", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtUserPostMessage", "EventUID": "0x7f6", "Module": "win32k", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 15, "Ret": 1, "Info": "STATUS_WAIT_1"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.794055", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x7fa", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.794125", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtQueryInformationToken", "EventUID": "0x7fb", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.794531", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x7ff", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.794667", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtQueryInformationToken", "EventUID": "0x800", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.794925", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtQueryKey", "EventUID": "0x803", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 22, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.795149", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtQueryInformationToken", "EventUID": "0x806", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.795356", "PID": 3888, "PPID": 2852, "TID": 3844, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenKeyEx", "EventUID": "0x808", "Module": "nt", "vCPU": 1, "CR3": "0x119b1002", "Syscall": 289, "Ret": 3221225524, "Info": "STATUS_OBJECT_NAME_NOT_FOUND"}
+{"Plugin": "sysret", "TimeStamp": "1716999134.795558", "PID": 888, "PPID": 636, "TID": 160, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtQueryInformationToken", "EventUID": "0x80b", "Module": "nt", "vCPU": 0, "CR3": "0xd378002", "Syscall": 33, "Ret": 0, "Info": "STATUS_SUCCESS"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.329543", "PID": 4, "PPID": 0, "RunningProcess": "System"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.329625", "PID": 92, "PPID": 4, "RunningProcess": "Registry"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.329695", "PID": 328, "PPID": 4, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\smss.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.329761", "PID": 420, "PPID": 408, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\csrss.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.329829", "PID": 516, "PPID": 408, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\wininit.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.329897", "PID": 636, "PPID": 516, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331153", "PID": 644, "PPID": 516, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\lsass.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331220", "PID": 772, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331285", "PID": 800, "PPID": 516, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\fontdrvhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331348", "PID": 888, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331371", "PID": 952, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\sppsvc.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331434", "PID": 288, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331497", "PID": 444, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331560", "PID": 792, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331583", "PID": 1104, "PPID": 1084, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\oobe\\msoobe.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331649", "PID": 1128, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331713", "PID": 1176, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331777", "PID": 1256, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331839", "PID": 1304, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331901", "PID": 1312, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331970", "PID": 1552, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.331992", "PID": 1816, "PPID": 4, "RunningProcess": "MemCompression"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332054", "PID": 1912, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332117", "PID": 1920, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332180", "PID": 2016, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\spoolsv.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332242", "PID": 1144, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332304", "PID": 2120, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332327", "PID": 2196, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Program Files\\Windows Defender\\MsMpEng.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332440", "PID": 2776, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332504", "PID": 2820, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332568", "PID": 2892, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\SearchIndexer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332632", "PID": 2964, "PPID": 288, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\taskhostw.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332695", "PID": 3040, "PPID": 288, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\CompatTelRunner.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332758", "PID": 656, "PPID": 3040, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332833", "PID": 1948, "PPID": 288, "RunningProcess": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332896", "PID": 3880, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\CloudExperienceHostBroker.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.332959", "PID": 3604, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\wbem\\WmiPrvSE.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333023", "PID": 4688, "PPID": 1176, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\audiodg.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333087", "PID": 1468, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333149", "PID": 5008, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333212", "PID": 5028, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333277", "PID": 3148, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\SgrmBroker.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333340", "PID": 1944, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333403", "PID": 4832, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333467", "PID": 5592, "PPID": 5576, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\csrss.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333545", "PID": 5640, "PPID": 5576, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\winlogon.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333609", "PID": 5716, "PPID": 5640, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\fontdrvhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333672", "PID": 5740, "PPID": 5640, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333735", "PID": 6076, "PPID": 288, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\sihost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333802", "PID": 6084, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333865", "PID": 4544, "PPID": 1128, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\ctfmon.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333887", "PID": 2852, "PPID": 5640, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333910", "PID": 3888, "PPID": 2852, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.333996", "PID": 5228, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\smartscreen.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.334081", "PID": 5068, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.334141", "PID": 4240, "PPID": 4292, "RunningProcess": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.334228", "PID": 984, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.334314", "PID": 5132, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.334400", "PID": 4332, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\RuntimeBroker.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.334486", "PID": 3808, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.335806", "PID": 5596, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\RuntimeBroker.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.335892", "PID": 7128, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Program Files\\WindowsApps\\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\\Microsoft.Photos.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.335976", "PID": 6172, "PPID": 288, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\taskhostw.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.336065", "PID": 2284, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.336150", "PID": 2168, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\RuntimeBroker.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.336234", "PID": 972, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\RuntimeBroker.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.336320", "PID": 664, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\RuntimeBroker.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.336408", "PID": 6872, "PPID": 3888, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\SecurityHealthSystray.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.336498", "PID": 6904, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\SecurityHealthService.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.336583", "PID": 5284, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TextInputHost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.336668", "PID": 4144, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.336755", "PID": 2716, "PPID": 772, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\ApplicationFrameHost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.336801", "PID": 3532, "PPID": 6076, "RunningProcess": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.336846", "PID": 3732, "PPID": 3532, "RunningProcess": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.336937", "PID": 3548, "PPID": 1324, "RunningProcess": "\\Device\\HarddiskVolume2\\Users\\litter\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.337023", "PID": 1120, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.337111", "PID": 4284, "PPID": 636, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.337198", "PID": 4852, "PPID": 3888, "RunningProcess": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.337283", "PID": 3564, "PPID": 4852, "RunningProcess": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.643517", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x246", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e700", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.648184", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x271", "ProcessHandle": "0x2648", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e6e0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.652997", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2ac", "ProcessHandle": "0x2694", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.656494", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d7", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.660382", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x306", "ProcessHandle": "0x2648", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.663966", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x331", "ProcessHandle": "0x2694", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.668446", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x361", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.672041", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x38c", "ProcessHandle": "0x2648", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.676052", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3bb", "ProcessHandle": "0x2694", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.680088", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3e6", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.684374", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x411", "ProcessHandle": "0x2648", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.687927", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x439", "ProcessHandle": "0x2694", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.691921", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x466", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.697552", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x48e", "ProcessHandle": "0x8b0", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.702026", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4a6", "ProcessHandle": "0x14a8", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.707235", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4bc", "ProcessHandle": "0x2638", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.765259", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x6d3", "ProcessHandle": "0x268c", "DesiredAccess": "0x400", "ObjectAttributes": "0xc17e7f0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.773195", "PID": 3888, "PPID": 2852, "TID": 7036, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x71d", "ProcessHandle": "0x2664", "DesiredAccess": "0x400", "ObjectAttributes": "0xc17e800", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.827617", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x965", "ProcessHandle": "0x2550", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.831578", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x98d", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.835590", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x9b7", "ProcessHandle": "0x878", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.858885", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x9de", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.863144", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xa0a", "ProcessHandle": "0x8b4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.866972", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xa32", "ProcessHandle": "0x878", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.871153", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xa5c", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.875098", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xa85", "ProcessHandle": "0x8b4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.879363", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xaaf", "ProcessHandle": "0x878", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.883318", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xad4", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.887277", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xb00", "ProcessHandle": "0x8b4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.890965", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xb26", "ProcessHandle": "0x878", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.895894", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xb56", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e6b0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.900552", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xb7d", "ProcessHandle": "0x8b4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e6b0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.908549", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xbcb", "ProcessHandle": "0x878", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e7f0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.916926", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xc21", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e890", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.921279", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xc4c", "ProcessHandle": "0x2694", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e8d0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.926052", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xc81", "ProcessHandle": "0x2550", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e6e0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999134.955541", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xcef", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x75eac0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.171900", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x1651", "ProcessHandle": "0x13a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e9a0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.179480", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x168c", "ProcessHandle": "0x13f0", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e9b0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.211431", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x184b", "ProcessHandle": "0xbe4", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e9a0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.215829", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x1885", "ProcessHandle": "0x2648", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e9b0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.260862", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x1ae5", "ProcessHandle": "0x6dc", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e9a0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.265165", "PID": 3888, "PPID": 2852, "TID": 6956, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x1b1c", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x75e9b0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.272108", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b77", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.272892", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b78", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.273032", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b7a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.273153", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b7c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.273270", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b7d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.273607", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b80", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.273736", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b82", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.273833", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b83", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.273990", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b85", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.274096", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b86", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.274225", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b88", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.274321", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b89", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.274467", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b8b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.274585", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b8c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.274841", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b8e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.275079", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b8f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.275350", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b91", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.276199", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b92", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.276446", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b94", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.276684", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b96", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.277086", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b97", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.277605", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b98", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.277991", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b9a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.281929", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b9c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.282155", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b9d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.282415", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1b9e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.282652", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.283060", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.283369", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.283719", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.284007", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.284302", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.286033", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1ba9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.286294", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1baa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.289195", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x1bbc", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.501760", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x26dd", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd200", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.503888", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x26fb", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd200", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.506128", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2716", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.508186", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2736", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.510215", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2755", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.512187", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2775", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.514178", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2795", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.516269", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x27b4", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.518345", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x27d3", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.520330", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x27f1", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.522428", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2812", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.534480", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x28dc", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.536446", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x28fc", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.538373", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x291b", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.542727", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2963", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.544634", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x297f", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cd8c0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.546615", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x299f", "ProcessHandle": "0x1a1c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cda50", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.550190", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x29da", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98ce100", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.554347", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2a1c", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98ce110", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.558976", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2a65", "ProcessHandle": "0x2274", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.561567", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2a91", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.564144", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2abf", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.566800", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2aeb", "ProcessHandle": "0x2274", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.569579", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2b1b", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.572825", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2b4d", "ProcessHandle": "0x27e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.576663", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2b90", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.579251", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2bbb", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.582030", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2bea", "ProcessHandle": "0x27e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.584594", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2c16", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.590070", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2c65", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.592605", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2c91", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.595861", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2cbb", "ProcessHandle": "0x2274", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.598800", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2ce6", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.601526", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d11", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.604141", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d3c", "ProcessHandle": "0x2274", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.606902", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d6b", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.609430", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2d94", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.612208", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2dc3", "ProcessHandle": "0x2274", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.614899", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2dee", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.617616", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2e1c", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.620261", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2e48", "ProcessHandle": "0x2274", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.623950", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2e79", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.628739", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2eb7", "ProcessHandle": "0x19c4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.631588", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2ee5", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.634330", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2f11", "ProcessHandle": "0x27e8", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.637492", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2f46", "ProcessHandle": "0x19c4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdcd0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.640152", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x2f72", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdcd0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.675513", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x306a", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdcd0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.679584", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3095", "ProcessHandle": "0x27e4", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdcd0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.689074", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x30e7", "ProcessHandle": "0x138c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cddd0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.693341", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x3111", "ProcessHandle": "0x1a80", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdde0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.739552", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3338", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.740569", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x333c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.741259", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3343", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.741738", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3347", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.742553", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x334f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.742989", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3353", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.743658", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x335b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.744071", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x335f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.744765", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3367", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.745151", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x336b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.745808", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3373", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.746250", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3377", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.747127", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3380", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.747548", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3384", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.748188", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x338b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.748608", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x338f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.749306", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3397", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.749753", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x339b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.750476", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x33a3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.750896", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x33a7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.760245", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x341a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.762590", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3431", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.763124", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3435", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.763671", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x343b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.764065", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x343f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.764524", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3443", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.764952", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3447", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.769350", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x344a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.769686", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x344f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.779983", "PID": 772, "PPID": 636, "TID": 1544, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtAdjustPrivilegesToken", "EventUID": "0x34c8", "ProcessHandle": 2147494836, "NewState": [{"SE_ASSIGNPRIMARYTOKEN_PRIVILEGE": "SE_PRIVILEGE_ENABLED"}]}
+{"Plugin": "procmon", "TimeStamp": "1716999135.788041", "PID": 772, "PPID": 636, "TID": 1544, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtCreateUserProcess", "EventUID": "0x3539", "Status": "0x0", "NewProcessHandle": "0x708", "NewPid": 5388, "NewThreadHandle": "0x1170", "NewTid": 1452, "CommandLine": "C:\\\\Windows\\\\system32\\\\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}", "ImagePathName": "C:\\Windows\\system32\\DllHost.exe", "DllPath": "", "CWD": "C:\\Windows\\system32\\"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.795251", "PID": 420, "PPID": 408, "TID": 1320, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\csrss.exe", "Method": "NtOpenProcess", "EventUID": "0x359a", "ProcessHandle": "0x4c8", "DesiredAccess": "0x1fffff", "ObjectAttributes": "0x1fc7a3f0b8", "ClientID": 5388, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.797656", "PID": 420, "PPID": 408, "TID": 1320, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\csrss.exe", "Method": "NtOpenThread", "EventUID": "0x35aa", "ThreadHandle": "0x668", "DesiredAccess": "0x1fffff", "ObjectAttributes": "0x1fc7a3f0b8", "ClientID": 5388, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "UniqueThread": 1452}
+{"Plugin": "procmon", "TimeStamp": "1716999135.876474", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39c4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.877008", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39ca", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.877364", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39ce", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.877756", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39d1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.878109", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39d5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.878522", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39d9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.878816", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x39dd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.882878", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a11", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.883373", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a16", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.883830", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a1b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.884116", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a1e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.884483", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a22", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.884761", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a25", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.885044", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a29", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.885268", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a2c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.886967", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a42", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.887172", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a44", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.887313", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a46", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.887470", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a48", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.887612", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a4a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.887802", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a4c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.887943", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a4e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.888091", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a4f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.888312", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a51", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.888611", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a53", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.889350", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a59", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.889616", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a5d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.889917", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a61", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.890188", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a65", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.890524", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a69", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.890837", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a6d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.893109", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a88", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.893552", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a8c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.894193", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a92", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.894559", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a96", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.894916", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a9a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.895275", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3a9e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.895577", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3aa2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.895903", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3aa6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.897975", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3abd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.898617", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ac1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.899091", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ac6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.899469", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ac7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.899634", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ac8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.905465", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3acb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.906046", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ace", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_WRITECOPY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.906207", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3acf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.906612", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ad3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.906984", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3ad7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.907694", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3adf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.909112", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3af2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.911062", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b09", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.911215", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b0b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.911409", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b0d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.911561", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b0f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.911707", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b11", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.911863", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b13", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.912030", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b15", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.912200", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b17", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.912351", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b19", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.912493", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b1b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.912760", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b1d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.913033", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b1f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.913371", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b21", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.913716", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b23", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.914148", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3b24", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.926704", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bcd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.926982", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bd1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.927228", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bd5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.927798", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bdb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.928056", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bdf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.928343", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3be3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.929568", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bf4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.930259", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bfa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.930597", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3bfe", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.930954", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c02", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.931369", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c06", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.931688", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c0b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.935286", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c35", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.935449", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c37", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.935611", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c39", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.935784", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c3b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.935931", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c3c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.936093", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c3e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.936261", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c40", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.936415", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c42", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.936561", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c44", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.936725", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c46", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.936862", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c48", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.937007", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c4a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.937152", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c4c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.937329", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c4e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.937590", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c50", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.937906", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c52", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.938105", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c54", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.938308", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c56", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.939132", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c58", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.939319", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c5a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.939532", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c5c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.939789", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c5e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.940074", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c60", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.940293", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c62", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.943437", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c64", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.943622", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c66", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.943844", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c68", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.944034", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c6a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.944263", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c6c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.944483", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c6e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.944713", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c70", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.945030", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c72", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.945249", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3c74", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.959279", "PID": 3564, "PPID": 4852, "TID": 5364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3d3f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.969911", "PID": 3564, "PPID": 4852, "TID": 5364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3dd8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.976309", "PID": 3564, "PPID": 4852, "TID": 5364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3e33", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999135.985145", "PID": 3564, "PPID": 4852, "TID": 5364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x3eb4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.058353", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4273", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974d3a0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.061241", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x428b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.062302", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x428f", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974d3a0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.064922", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x42a7", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.067567", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x42c7", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.070083", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x42e7", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.072871", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4304", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.075179", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4324", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.077448", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4344", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.079751", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4364", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.082040", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4384", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.084267", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x43a4", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.086552", "PID": 3888, "PPID": 2852, "TID": 3108, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x43c4", "ProcessHandle": "0x2d4", "DesiredAccess": "0x410", "ObjectAttributes": "0x2ceef20", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.086860", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x43c5", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.088941", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x43e3", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.091167", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4403", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.093517", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4423", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.095686", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4443", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974da60", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.098028", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4463", "ProcessHandle": "0x25b8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974dbf0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.102667", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x44a3", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e2a0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.107590", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x44e5", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e2b0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.112541", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x452d", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.115873", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4559", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.119303", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4589", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.122342", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x45b5", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.125623", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x45e2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.126010", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x45e3", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.129030", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4601", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.133053", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4633", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.136132", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x465e", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.139816", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x468c", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.143187", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x46b7", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.145140", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46d0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.145450", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46d2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.145755", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46d4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.147605", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46d6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.147902", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46d8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.148255", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46da", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.148720", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x46db", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.154504", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x46e5", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.157622", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4711", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.161115", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4741", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.164402", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x476c", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.168202", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x479c", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.169551", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47a4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.170043", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47aa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.170326", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47ae", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.170618", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47b2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.170893", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47b6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.171246", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47ba", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.171565", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47be", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.172158", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x47c6", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.174224", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47dc", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.174620", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47e0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.175095", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47e6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.175483", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47ea", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.175930", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47ee", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.176305", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47f2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.176566", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x47f5", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.176843", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47f6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.177175", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x47fa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.180113", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4820", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.183621", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4850", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.186680", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x487c", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.190005", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x48ab", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.193323", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x48d6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.193729", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x48d7", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.197273", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4907", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.200741", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4933", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.201982", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4940", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.202600", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4942", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.203831", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4946", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.204242", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x494c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.204512", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4950", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.204787", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4954", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.205052", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4958", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.205368", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x495c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.205623", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4960", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.205916", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4963", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.208423", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x497e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.208926", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4982", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.209426", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4988", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.209801", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x498c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.210144", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x498f", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.210424", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4990", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.210853", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4993", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.211240", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4997", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.211535", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x499b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.214223", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x49c1", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974de70", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.217339", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x49ed", "ProcessHandle": "0x2720", "DesiredAccess": "0x400", "ObjectAttributes": "0x974de70", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.220651", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4a1d", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974de70", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.223594", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4a49", "ProcessHandle": "0x24f8", "DesiredAccess": "0x400", "ObjectAttributes": "0x974de70", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.229105", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4a94", "ProcessHandle": "0x14a4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974df70", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.232270", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x4ac0", "ProcessHandle": "0x18dc", "DesiredAccess": "0x400", "ObjectAttributes": "0x974df80", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.239097", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4b23", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.240001", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4b2f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.265058", "PID": 3564, "PPID": 4852, "TID": 5364, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4c96", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.267099", "PID": 3564, "PPID": 4852, "TID": 2200, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4c9a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.278178", "PID": 3564, "PPID": 4852, "TID": 2200, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4d31", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.291438", "PID": 3564, "PPID": 4852, "TID": 6592, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4df5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.349263", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4fcf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.349772", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4fd3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.350434", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4fdb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.350904", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4fdf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.351522", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4fe6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.352145", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4feb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.352835", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4ff2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.353223", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4ff6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.353849", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x4ffe", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.354273", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5002", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.354887", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x500a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.355264", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x500e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.355933", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5017", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.356341", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x501b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.356998", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5022", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.357393", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5026", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.358043", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x502e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.358415", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5032", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.359002", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5039", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.359388", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x503d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.418545", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x5374", "ProcessHandle": "0x24ec", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdde0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.429851", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x53ad", "ProcessHandle": "0x24ec", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdea0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.431344", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53b8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.434287", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53ca", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.434931", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53d0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.435354", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53d4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.435711", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53d8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.436097", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53dc", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.436421", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53e0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.436773", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x53e4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.437205", "PID": 3888, "PPID": 2852, "TID": 4344, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x53e8", "ProcessHandle": "0x235c", "DesiredAccess": "0x400", "ObjectAttributes": "0x98cdeb0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.441317", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5415", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.441761", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5419", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.442365", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x541f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.442779", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5423", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.443264", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5427", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.443679", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x542b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.443992", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x542f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.444318", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5433", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.446764", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x544d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.447214", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5450", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.447831", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5457", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.448231", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x545b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.448626", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x545f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.448998", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5462", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.449303", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5466", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.449667", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x546a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.454782", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x54b0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.462274", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5514", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.470683", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5590", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.498084", "PID": 3888, "PPID": 2852, "TID": 7048, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x570c", "ProcessHandle": "0x1820", "DesiredAccess": "0x410", "ObjectAttributes": "0x997ecc0", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.528964", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x58c3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.571557", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtOpenProcess", "EventUID": "0x5adb", "ProcessHandle": "0x88", "DesiredAccess": "0x2000000", "ObjectAttributes": "0x667e67ed00", "ClientID": 4852, "ClientName": "\\Device\\HarddiskVolume2\\Users\\litter\\Desktop\\malware.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.579202", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b24", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.579386", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b26", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.579542", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b28", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.579682", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b2a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.579853", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b2c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.579995", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b2e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.580189", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b30", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.580358", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b32", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.580646", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b34", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.580938", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b36", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.581210", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b38", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.581685", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b3a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.582151", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b3b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.582488", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b3d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.582850", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b3f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.583136", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b41", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.583410", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b43", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.583731", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b45", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.584008", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b47", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.584294", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b49", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.584661", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b4b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.584930", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b4d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.585252", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b4f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.585627", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5b51", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.598048", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5bd7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.598510", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5bdd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.598825", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5be1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.599107", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5be5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.599397", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5be9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.599788", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5bed", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.600404", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5bf5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.602499", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c0e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.603091", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c14", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.603467", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c17", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.603893", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c1b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.604280", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c1f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.604556", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c23", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.606826", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c3f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.607243", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c42", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.607863", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c48", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.608343", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c4d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.608721", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c51", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.609087", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c55", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.609418", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c59", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.609699", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5c5d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.642912", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e09", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.643411", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e0d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.643936", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e13", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.644312", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e17", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.644683", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e1b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.645090", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e1f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.645382", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e23", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.645688", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5e27", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.683068", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5ff7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.683542", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x5ffb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.684086", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6001", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.684456", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6005", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.684941", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6009", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.685298", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x600d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.685477", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x600e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.685748", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6010", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.685830", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6011", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.685945", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6012", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.686098", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6014", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.686265", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6016", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.686444", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6018", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.686525", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6019", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.686739", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x601a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.686900", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x601c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.687047", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x601e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.687313", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6020", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.688166", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6026", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.688461", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x602a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.688736", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x602e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.689001", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6032", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.689342", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6036", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.689692", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x603a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.690487", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6041", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.691219", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6049", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.691707", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x604d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.692057", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6050", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.692886", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x605a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.698880", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60a8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.699383", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60ac", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.701966", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60ca", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.702460", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60d0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.702882", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60d4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.703283", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60d7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.703761", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60db", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.704057", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60df", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.704330", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60e2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.705117", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x60eb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.709492", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6124", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.709727", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6127", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.721201", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6179", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.721783", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x617d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.721946", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x617e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.722375", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6182", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.722897", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6187", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.723289", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x618b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.723676", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x618f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.724038", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6193", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.724333", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6197", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.724660", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x619b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.725166", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x619f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.747270", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x62d6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.747801", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x62da", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.775106", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x643f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.775702", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6443", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.776244", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6449", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.776609", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x644d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.777020", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6451", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.778777", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6466", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.779075", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6469", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.779590", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x646d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.780525", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6478", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.783165", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6497", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.783655", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x649b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.784134", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x64a1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.784699", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x64a4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.881303", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x6a03", "ProcessHandle": "0x2624", "DesiredAccess": "0x400", "ObjectAttributes": "0x974df80", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.885997", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x6a3d", "ProcessHandle": "0x2624", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e040", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.890765", "PID": 3888, "PPID": 2852, "TID": 5648, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x6a79", "ProcessHandle": "0x22f4", "DesiredAccess": "0x400", "ObjectAttributes": "0x974e050", "ClientID": 3888, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.945990", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d5a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.946258", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d5c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.946469", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d5e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.946652", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d60", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.946806", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d61", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.946975", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d63", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.947150", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d65", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.947315", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d67", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.947583", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d69", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.947881", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d6b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.948169", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d6d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.948464", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d6f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.949184", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d73", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.949663", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d79", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.949973", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d7d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.950277", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d81", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.950552", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d85", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.950924", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d89", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.951253", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6d8d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.953270", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6da9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.963916", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e3f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.964409", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e43", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.969129", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e7a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.969539", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e7e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.970086", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e84", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.970579", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e88", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.970956", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e8c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.971331", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e90", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.971592", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e94", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.971833", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e97", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999136.972394", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x6e9a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.008336", "PID": 772, "PPID": 636, "TID": 1544, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenProcess", "EventUID": "0x7083", "ProcessHandle": "0x708", "DesiredAccess": "0x1000", "ObjectAttributes": "0x24890fecf0", "ClientID": 5388, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.021074", "PID": 288, "PPID": 636, "TID": 1520, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenProcess", "EventUID": "0x7110", "ProcessHandle": "0x1f0c", "DesiredAccess": "0x1478", "ObjectAttributes": "0x72d7fff800", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.035120", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71c4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.035534", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71c8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.036032", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71ce", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.036416", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71d2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.037010", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71d6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.037422", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71d9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.037820", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71dd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.038171", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71e1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.038745", "PID": 288, "PPID": 636, "TID": 372, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenThread", "EventUID": "0x71e7", "ThreadHandle": "0x234", "DesiredAccess": "0x40", "ObjectAttributes": "0x72d7a7f3e0", "ClientID": 288, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "UniqueThread": 4464}
+{"Plugin": "procmon", "TimeStamp": "1716999137.039726", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x71f2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.040107", "PID": 288, "PPID": 636, "TID": 372, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenProcess", "EventUID": "0x71f5", "ProcessHandle": "0x234", "DesiredAccess": "0x400", "ObjectAttributes": "0x72d7a7f3e0", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.044617", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x722e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.045106", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7232", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.069534", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7333", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.070044", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7337", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.086645", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7408", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.087103", "PID": 5388, "PPID": 772, "TID": 1452, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x740c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.138148", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x76b8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.140571", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x76d2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.143437", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x76ea", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.145259", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x76f5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.146726", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x76fe", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.149063", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x770e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.156950", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7740", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.159596", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7751", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.161561", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x775d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.163776", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7765", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.192940", "PID": 3564, "PPID": 4852, "TID": 4464, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7857", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_NOACCESS"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.228970", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a02", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.229468", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a06", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.231741", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a25", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.232190", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a28", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.232850", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a30", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.233172", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a33", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.234724", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a43", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.235138", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a47", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.238346", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a6c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.238752", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a70", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.240007", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a7e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.240405", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a82", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.241328", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a8d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.241726", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a91", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.242702", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a9c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.243005", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7a9f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.243565", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7aa6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.243950", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7aaa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.244886", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7ab5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.245261", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7ab9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.267226", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7bea", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.267614", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7bed", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.267967", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7bf1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.268512", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7bf4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.270241", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7c0d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.270545", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7c10", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.302735", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7d98", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.303139", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7d9c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.303662", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7da2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.304034", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7da6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.304405", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7daa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.304985", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7daf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.305343", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7db2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.305780", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7db7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.307873", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7dcd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.308362", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7dd1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.308917", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7dd7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.309365", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7ddb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.309801", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7ddf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.310179", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7de3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.310492", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7de7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.310810", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7deb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.312324", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7dfe", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.313031", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7e05", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.363190", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7f2c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.363765", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x7f30", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.382089", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x802e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.387478", "PID": 3888, "PPID": 2852, "TID": 552, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x8076", "ProcessHandle": "0x25b8", "DesiredAccess": "0x1000", "ObjectAttributes": "0x8caefd0", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.392311", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x80b7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.392763", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x80bb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.393201", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x80bf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.470902", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x83e0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.471432", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x83e4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.471836", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x83e8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.472204", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x83ec", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.472717", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x83f1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.473161", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x83f4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.492027", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84f4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.492217", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84f5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.492461", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84f7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.492617", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84f9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.492793", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84fb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.492943", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84fd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.493099", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x84ff", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.493250", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8501", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.493562", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8503", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.493764", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8505", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.493997", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8507", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.494190", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8509", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.494415", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x850b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.494632", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x850d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.494819", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x850f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.495002", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8511", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.495216", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8513", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.495416", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8515", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.496940", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8517", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.497122", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8519", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.497350", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x851b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.497537", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x851d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.497788", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x851f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.497988", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8521", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.499176", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8524", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.499687", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x852a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.500062", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x852e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.500352", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8532", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.500638", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8536", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.501111", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x853a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.501457", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x853e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.503464", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8555", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.504002", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x855a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.504426", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x855e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.504863", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8562", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.505260", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8566", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.505578", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x856a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.507587", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8585", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.508087", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8589", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.508645", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x858f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.509078", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8593", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.509533", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8597", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.509912", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x859a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.510239", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x859e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.510549", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85a2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.512713", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85ba", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.513164", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85be", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.513693", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85c4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.514104", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85c8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.514490", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85cc", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.514892", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85d0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.515184", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85d4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.515489", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85d8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.517533", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85f1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.518106", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85f5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.518639", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85fb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.519055", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x85ff", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.519469", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8603", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.519869", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8607", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.520218", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x860b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.520493", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x860f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.522450", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8629", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.523096", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x862f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.534552", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x86ce", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.535078", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x86d1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.545751", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x876a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.546251", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x876e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.547085", "PID": 5388, "PPID": 772, "TID": 6920, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8776", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.547675", "PID": 5388, "PPID": 772, "TID": 6920, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x877b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.549365", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x878d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.549763", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8791", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.558921", "PID": 3888, "PPID": 2852, "TID": 552, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x87ea", "ProcessHandle": "0x2274", "DesiredAccess": "0x1000", "ObjectAttributes": "0x8caefd0", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.560891", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x87f3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.561311", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x87f7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.581912", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x890a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.582342", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x890e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.585983", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x893e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.586371", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8941", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.594395", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89a6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.594787", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89aa", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.595388", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89af", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.595819", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89b3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.596212", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89b7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.596570", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89bb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.596896", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89bf", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.597242", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89c3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.597783", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x89c8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.627771", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8b59", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.628340", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8b5d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.634823", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bb0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.635348", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bb4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.636078", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bbd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.636458", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bc1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.638269", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bd9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.638648", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bdd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.639914", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bec", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.640342", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8bf0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.666830", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8d27", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.668068", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8d2b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.673826", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8d79", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.674317", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8d7d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.692110", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8e69", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.692558", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x8e6d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.742772", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x910e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.743325", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9112", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.751208", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9176", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.751652", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x917a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.752220", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9180", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.752634", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9184", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.753042", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9188", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.753436", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x918c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.753767", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9190", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.754087", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9194", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.754702", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9199", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.791250", "PID": 288, "PPID": 636, "TID": 1520, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenProcess", "EventUID": "0x9370", "ProcessHandle": "0x5ec", "DesiredAccess": "0x1478", "ObjectAttributes": "0x72d7fff800", "ClientID": 5388, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.808927", "PID": 288, "PPID": 636, "TID": 372, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenThread", "EventUID": "0x9450", "ThreadHandle": "0x2104", "DesiredAccess": "0x40", "ObjectAttributes": "0x72d7a7f3e0", "ClientID": 288, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "UniqueThread": 4236}
+{"Plugin": "procmon", "TimeStamp": "1716999137.810108", "PID": 288, "PPID": 636, "TID": 372, "UserName": "SessionID", "UserId": 0, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", "Method": "NtOpenProcess", "EventUID": "0x9460", "ProcessHandle": "0x2104", "DesiredAccess": "0x400", "ObjectAttributes": "0x72d7a7f3e0", "ClientID": 5388, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.902511", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9971", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.902961", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9976", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.903332", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x997a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.903624", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x997d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.904006", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9981", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.904308", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9984", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.904797", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x998b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.906025", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x999b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.907243", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x99ac", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999137.907763", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x99b0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.008242", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9e8f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.009550", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0x9e93", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.029988", "PID": 3888, "PPID": 2852, "TID": 552, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0x9f90", "ProcessHandle": "0x2620", "DesiredAccess": "0x1000", "ObjectAttributes": "0x8caefd0", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.055427", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0b4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.055903", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0b8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.056419", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0bd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.056889", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0c1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.057336", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0c5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.057787", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0c9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.058120", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0cd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.058423", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0d0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.059417", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa0d9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.083396", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa1d5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.083865", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa1d9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.191235", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa7f7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.191649", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa7fb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.192228", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa800", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.192631", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa804", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.193021", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa808", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.193402", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa80c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.193749", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa810", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.194068", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa814", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.196168", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa828", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.196595", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa82c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.197116", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa832", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.197526", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa836", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.197941", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa83a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.198336", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa83e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.198626", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa842", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.198948", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa846", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.200237", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa856", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.201308", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa862", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.203837", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa885", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.204359", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa889", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.208915", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa8b0", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.209316", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa8b4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.218109", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa91b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.218525", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa91e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.219083", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa924", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.219496", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa928", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.219917", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa92c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.220339", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa930", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.220756", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa934", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.221088", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa938", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.222528", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa949", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.225653", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa96f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.226113", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xa973", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.278433", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac1a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.278933", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac1e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.279516", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac24", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.280015", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac27", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.280429", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac2b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.280891", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac2f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.281210", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac33", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.281556", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac37", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.282335", "PID": 5388, "PPID": 772, "TID": 4236, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\dllhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac3e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.287121", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac75", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.287536", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xac78", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.342652", "PID": 3888, "PPID": 2852, "TID": 5152, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xaf1b", "ProcessHandle": "0x23cc", "DesiredAccess": "0x410", "ObjectAttributes": "0xa07f940", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.348130", "PID": 3888, "PPID": 2852, "TID": 5152, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xaf38", "ProcessHandle": "0x2274", "DesiredAccess": "0x1000", "ObjectAttributes": "0xa07f3c0", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.374085", "PID": 3888, "PPID": 2852, "TID": 5152, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xb09d", "ProcessHandle": "0x2274", "DesiredAccess": "0x1000", "ObjectAttributes": "0xa07f430", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.386542", "PID": 3888, "PPID": 2852, "TID": 5152, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtOpenProcess", "EventUID": "0xb142", "ProcessHandle": "0x2274", "DesiredAccess": "0x410", "ObjectAttributes": "0xa07e320", "ClientID": 3564, "ClientName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.453231", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb4b2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.453883", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb4b5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.478495", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5e4", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.478905", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5e8", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.497846", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5ed", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.498357", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5f1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.498801", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5f5", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.499229", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5f9", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.499629", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb5fd", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.499955", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb601", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.500754", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb60a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.503133", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb62b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.503693", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb62f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.506301", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb64d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.506854", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb653", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.507237", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb657", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.507661", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb65b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.508069", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb65e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.508379", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb662", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.508703", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb666", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.509457", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb66f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.519007", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb6e2", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.519524", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb6e6", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.519974", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb6eb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.520360", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb6ef", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.529420", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb75a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.529882", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb75e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.563501", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb926", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.564020", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xb92a", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.618953", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbbe1", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.620515", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbbed", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.621029", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbbf3", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.621415", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbbf7", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.621985", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbbfb", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.622387", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbbff", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.622716", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc03", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.623050", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc06", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.627221", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc33", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.627921", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc37", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.628540", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc3d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.628831", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc3e", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.629257", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc40", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.629640", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc43", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.629916", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc44", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.630318", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc48", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.630500", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc49", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.630856", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc4c", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.630983", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc4d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.631389", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc50", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.631590", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc51", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.632144", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc55", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.632513", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc59", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.632982", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc5d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.635565", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc76", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.635742", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc77", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.636121", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc79", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.636340", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc7b", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.636652", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc7d", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.636977", "PID": 3564, "PPID": 4852, "TID": 4716, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc7f", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.637435", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc81", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READONLY"}
+{"Plugin": "procmon", "TimeStamp": "1716999138.637955", "PID": 3564, "PPID": 4852, "TID": 3688, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe", "Method": "NtProtectVirtualMemory", "EventUID": "0xbc83", "ProcessHandle": "0xffffffffffffffff", "NewProtectWin32": "PAGE_READWRITE"}
+{"Plugin": "inject", "TimeStamp": "1716999134.223756", "Method": "CreateProc", "Status": "Success", "ProcessName": "C:\\Users\\litter\\Desktop\\malware.exe", "Arguments": "", "InjectedPid": 4852, "InjectedTid": 6020}
\ No newline at end of file